cerber | bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

Analysis

max time kernel
1216s
max time network
1216s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___FS0XHQE_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/D276-E50E-7F45-0446-99E5 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/D276-E50E-7F45-0446-99E5 2. http://p27dokhpz2n7nvgr.14ewqv.top/D276-E50E-7F45-0446-99E5 3. http://p27dokhpz2n7nvgr.14vvrc.top/D276-E50E-7F45-0446-99E5 4. http://p27dokhpz2n7nvgr.129p1t.top/D276-E50E-7F45-0446-99E5 5. http://p27dokhpz2n7nvgr.1apgrn.top/D276-E50E-7F45-0446-99E5 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/D276-E50E-7F45-0446-99E5

http://p27dokhpz2n7nvgr.12hygy.top/D276-E50E-7F45-0446-99E5

http://p27dokhpz2n7nvgr.14ewqv.top/D276-E50E-7F45-0446-99E5

http://p27dokhpz2n7nvgr.14vvrc.top/D276-E50E-7F45-0446-99E5

http://p27dokhpz2n7nvgr.129p1t.top/D276-E50E-7F45-0446-99E5

http://p27dokhpz2n7nvgr.1apgrn.top/D276-E50E-7F45-0446-99E5

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

2181 2460 mshta.exe
2184 2460 mshta.exe
2186 2460 mshta.exe
2188 2460 mshta.exe
2190 2460 mshta.exe
Contacts a large (1104) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

788 netsh.exe
1932 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1388 cmd.exe
Drops startup file 1 IoCs

Processes:

cerber.exe

description ioc process

File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe

flow	pid	process
2181	2460	mshta.exe
2184	2460	mshta.exe
2186	2460	mshta.exe
2188	2460	mshta.exe
2190	2460	mshta.exe

pid	process
788	netsh.exe
1932	netsh.exe

pid	process
1388	cmd.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Drops file in System32 directory 38 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

cerber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDEAC.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe

Drops file in Windows directory 64 IoCs

Processes:

cerber.exe

description	ioc	process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exemshta.exeNOTEPAD.EXEcmd.exetaskkill.exePING.EXEIEXPLORE.EXEcerber.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2432 PING.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1368 taskkill.exe

pid	process
2432	PING.EXE

pid	process
1368	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{2670000A-7350-4f3c-8081-5663EE0C6C49} = "8192"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId = "8193"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000677af4195ab79f5f175a78125f1f81be85665880e0ffee70c195dc3daaddf412000000000e80000000020000200000002689d7a744e548cb9a9cf5d71e4e7f6a91e371f4ea275c529e862f45886d5a54200000002da270a2f63caad65708bdf725702bd4a62b47c00cc601c7164003e2c21d7c84400000008a37d202ba609dc13748b5a088062f0fb25f1a362434b0e6f0597918db8d124c15a4b2a45380a27b4c9074df87b624feaa73912a81bb53ba3e268b023391517a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} = "8193"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId = "8194"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432804134"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\CommandBarEnabled = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30df77329709db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d4fb7de3e009e88837958a03173988f77b14e1b0f5af133d5ada832853a9f6f0000000000e8000000002000020000000fd480a5e75b39bf20f642c65d9932f82dd9b79f1f32c8f9ffd13e06128a80bc1900000002e568d356adf86ffb74a0f9cf25e3e16b1085f20ea022c5b1a4e6bf236d406191c8827555fdbdbbf912a8c1ccd6ab8352b221ccbe4ebc07ef9712df0a0c0caa0fed4b5155ad1ce45bd597bd7b69dd8942211d3839fdde36e729b1fd5ede162b3de8d6bbb178f3e424a422de0de2fc1cf0ffb08d919171a1dd7fc43f8d258f279fc2dd6dd95e68ac27f698bb4364cfd19400000003a94245af93ffc63300d73f8be4c7cc6a6ad73a2646e3dc2630a9a26468c76a43827c616632276889ab3268349d79b8a96b19f4bc8404c4814dc0c04f0a383b8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{610D1A41-758A-11EF-B578-7A9F8CACAEA3} = "0"	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2128 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2432 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cerber.exetaskkill.exe

description pid process

Token: SeShutdownPrivilege 2104 cerber.exe
Token: SeDebugPrivilege 1368 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1860 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1860 iexplore.exe
1860 iexplore.exe
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
1860 iexplore.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

cerber.exe

pid process

2104 cerber.exe

pid	process
2128	NOTEPAD.EXE

pid	process
2432	PING.EXE

description	pid	process
Token: SeShutdownPrivilege	2104	cerber.exe
Token: SeDebugPrivilege	1368	taskkill.exe

pid	process
1860	iexplore.exe

pid	process
1860	iexplore.exe
1860	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1860	iexplore.exe

pid	process
2104	cerber.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cerber.execmd.exemshta.exeiexplore.exe

description	pid	process	target process
PID 2104 wrote to memory of 788	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 788	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 788	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 788	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 1932	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 1932	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 1932	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 1932	2104	cerber.exe	netsh.exe
PID 2104 wrote to memory of 2460	2104	cerber.exe	mshta.exe
PID 2104 wrote to memory of 2460	2104	cerber.exe	mshta.exe
PID 2104 wrote to memory of 2460	2104	cerber.exe	mshta.exe
PID 2104 wrote to memory of 2460	2104	cerber.exe	mshta.exe
PID 2104 wrote to memory of 2128	2104	cerber.exe	NOTEPAD.EXE
PID 2104 wrote to memory of 2128	2104	cerber.exe	NOTEPAD.EXE
PID 2104 wrote to memory of 2128	2104	cerber.exe	NOTEPAD.EXE
PID 2104 wrote to memory of 2128	2104	cerber.exe	NOTEPAD.EXE
PID 2104 wrote to memory of 1388	2104	cerber.exe	cmd.exe
PID 2104 wrote to memory of 1388	2104	cerber.exe	cmd.exe
PID 2104 wrote to memory of 1388	2104	cerber.exe	cmd.exe
PID 2104 wrote to memory of 1388	2104	cerber.exe	cmd.exe
PID 1388 wrote to memory of 1368	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1368	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1368	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1368	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 2432	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2432	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2432	1388	cmd.exe	PING.EXE
PID 1388 wrote to memory of 2432	1388	cmd.exe	PING.EXE
PID 2460 wrote to memory of 1860	2460	mshta.exe	iexplore.exe
PID 2460 wrote to memory of 1860	2460	mshta.exe	iexplore.exe
PID 2460 wrote to memory of 1860	2460	mshta.exe	iexplore.exe
PID 2460 wrote to memory of 1860	2460	mshta.exe	iexplore.exe
PID 1860 wrote to memory of 1520	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1520	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1520	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1520	1860	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:788
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___SH7AZ_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://p27dokhpz2n7nvgr.12hygy.top/D276-E50E-7F45-0446-99E5
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1520
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___FS0XHQE_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
3f39b67490eaf9d7235ee3a3dbd5cfd5

SHA1
63b9a6b1be310bf0421be7b2e886e0ba8c3257be

SHA256
3bd812f05bea870f9525de16c6fd14394e398feb59d507d072c277a5966b9ad0

SHA512
aa97d684f603e7a94141def9b2bfba8020dece78be17922b84f3dcc283edc1fe9b4cec20d48c7dd67cae4ca09e0cd71c962cb75ce5cd7e5b93fef0e0636a6cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
942d536234e9fceaa7de0c3c027cc294

SHA1
cd587b3b237851f81bbb1f50532f738b749de429

SHA256
2bae6405157ef2d22e7aef8ad4b37109e6bfbadc8daab2e069bd4e6335839a1d

SHA512
d83405a8baac909f5e4f966292fd5d361b69bb31debd3b18eeea63789b9de0253f88046edcfc4580f6854f78b9a195f3da67de78641c21255d4c69682d6fc29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cc6191276de6316698773a14ba563f2

SHA1
0d518c48d0d08be0c72bed95e76913a3aed27ebe

SHA256
7d51a2211b5d7f39cf31614ef314e136d87012cb68b6ddde981a0771337dd5f8

SHA512
ac08c0b6fe2cc16152bd5c995bfbcb1bebf7ed50fa7c2614352548c8dbefe158b1a8f9db432a157429cafbc57ded7563f8dfb5fc9bff8e0875dbf3395b66ef61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b4a592190604760803cc5cafdc1cf4e

SHA1
05c9c05f548e4f8379fecd4c5782501f26c836be

SHA256
c9ab24fb4de38ad3f44def394f20170753c4bcda7f5ba160036299a263e24a52

SHA512
f5a0da8483d9ba5aae869761fb181ca37c7d438505258c5befb1611ae2b306cdbdc18a19166b45b2ecc222265c7777df9aefeeedf2fdad5d18465f7a62b7da71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b09bfa993cb5fa9d2d3b48641a17a638

SHA1
ea7256c8d327b5efcb6c97b337a7d83de3a74adf

SHA256
f53bd4c410173328164454f7d3a86c16d76c568f2c197cf0c4fe2a6eec1fed7b

SHA512
a0488a03162970be8373801cba18681f9e37a8b03e95773171fee981e69be2231f0cd1351da214472470c648e7ba097c80e468700773bcf1e84bb28a655d19f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd8ea99d3b09902ea8d389d06540092a

SHA1
4cdec8c2f073aca7696450944cc58839f29ef223

SHA256
89785af7509e075e79a945f084f5fd4d4d8a2dd36aa98abe07321591decc08d6

SHA512
4efa93260a14b9a4ad4fba952af7a82cea652818acac6e20017370fa40d1d5662a0470b85bae126be1a77714609975f2cb1c684f27f47384a115c8190d9f7876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cbe425bb68d16b7f9e1b8232b229bc0

SHA1
cf8bdcc22731bcfc3ffce02eb6579f54915a962b

SHA256
1afac8ef95e91c95ffd97f417301e24db5f48fdf35949d2381338a5f7ce64977

SHA512
7acb8685d5116a62ece818c021e2a0668b268365e2b15bccd83de4aa8a173e75bdbcda0ef383b1ba388dacac0c94b68dc8a207efa56aa891f6b471d8140a09da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc7f71e6082a2c1094b1ece2ad014ae2

SHA1
22b54d70c6c72c42bdb32a83fd7c46104e0f12aa

SHA256
ebebe7be9e958876d1398af5368c07253ee6fc0c260d333dbe6423219315d847

SHA512
88a8c4f37e4f99b4083542cc912de9e3ed81670385e967b94bd40a4e8ad4772fb71d96ed4bbc882502b5f6c89ef379a4383cdb5abed71178de9d3d84fdb0910c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57f2c4c95c536ef86cbb58489182dc8c

SHA1
c6bbcd26b4f47792c06c9ff8c4bd4a020fb23f6f

SHA256
2c2f1ca1c3c57eca6d4277fe5d9ab33b1b4cb004af6ce4984196cded95bc9e71

SHA512
eb43fada0a0de294b5af7485602796a06e9a12eb16bd9de62145b5ad19c9adc63cd0f2dc49be8e129c7440d3f71039159270008dc05c95d394240a66d56bccc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84c96d96b53dd06a5ee561b8801e538c

SHA1
e472882305011e47ba96b435da5d6963f0dd7c71

SHA256
94a4c5052e9dd51642e670618971bdc58afb19a431d08708f38a4f88b3a5c91f

SHA512
27d8d25b8d742d2f5f872349d13b1f3c5ebfce18123faee88e60bdc09f7ff2b9d2044f3f45e91e599bc24cb88daa9851c5b68099423d8f65f840713e2402d872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3831b11f3ea9f967a12b940fe5f6c6e7

SHA1
86f18a301700592122510d9b88da7494c3f836e2

SHA256
ddf2da1638e144063341940957141a1073307b96f60af2a88578f1fc5cdff2a4

SHA512
c72ea89666d3839937633753e5e03a850976a157db9167a234921da8a44c5e0dde03727cdf12b936ec3733b2f17ebe55228d71c6d73455ade2d2de8ba262a8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a45787847cc984dd6065bc237b9af32f

SHA1
09f735ec0141f02f0085b2816e95a1e48e3e6bd3

SHA256
ffc65211a05391f7be743e3725d5aaaf745688e8af8a890630e2e93cc3e04df3

SHA512
642a087628c3d803c43a660c8fc6ee0743be7cc2bfe81da63066ebf9a1d08632f27238db3a2cfc25d085a6510e6e270699073353a2c31eff41ee04a0342823d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8791162d4409d9153aa4803002f7d89

SHA1
4465561a95485b71bc2f3a99ce575394a82fd768

SHA256
3792bb3d9657fc22f8e884b4292b2100292b578b4b7b0dee3146a3c334a35e3d

SHA512
aa13c9ef067083da775e1ae4c7738698fcd9edc32a32ebdfe341c7b5d7635bafca7255137b3f76273525725873305f17f77fcf79ce56725b8d24d9fb6c3b0b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69928b166ad9c7184c85aae72b45aa1f

SHA1
45262ad90ab919b1685c4ba4aaaa12352b81fd3a

SHA256
ccb9a2912d933bcfff6ef4fca5a8478e60fd3b52fee6e6c92b45bb05433b81b9

SHA512
80da8740e4bbde2d7bf3ac90861d72f157f93e56b8745124a7e58513ced20a41816c1203991832b3246deda18a66325edf24e0f892913562f6bbcccf29c21337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e3261ac05bf6b564287db3484b3ce42

SHA1
db42ab9e6be6c43f6eeee693744db03e67ce7886

SHA256
f8b85d6914ff5dd7b3e604f21fd61ee77362927f1b2a0a41f00186d16da54a77

SHA512
3ff3d3de68612577ba6b3d1df276020d9c1e339d9bce2eb5ad3e782bd3684091fd03822395db04a7baba10e372fc8a96134cc6e9779be3b6033a2584e3de8df6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
541e2bba056085dc32ac5ce5234f129a

SHA1
ae3083fade47c84461c2d28a19298152c9555026

SHA256
e2fbf66ef626d4e8292baf5054a5dae99da877a0c050bc63dcf2e2509dc42d82

SHA512
1290ffccdff0c934c48749b9e2558d384e293ae1aeb4ed0081cecbb917f658d39142ca53c0bad8155c02cf5c96d08a4cf0893ead2533f1253e20614cda543e8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51712430bf446c7c8af0de27200127f1

SHA1
4301a1bdbb4d9253d300a67c5cfbce48e72418c0

SHA256
230b699df1630ea35556b14dab7f77878a661ffda857876d67c16e5fed28f4fa

SHA512
f7c1f73254f7aba72a48ae5f150fe0e76df52b3a2db46c1f23b702b002b7640de8e54a3c7e03e3e23442e9c867bac2148bcdb6c01473d76439982e64595cc274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76484dbef7f2ad575920ee9fbab6e46b

SHA1
956ab5606330c864608ff4d152a2771e67bfce04

SHA256
391fa0a7deaf5b735188b724977bbfd217a49269c5b6d3a621020b792f6479d3

SHA512
c1e5166fbd96f2d1bb8d7c5ea2ffe0afcf19e347c05b5ca4692db04d3b815e30f2cd60be7b589e709832547f4492e83b47cf345dca43e1ddf656672de7ed19b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
773eaec462e2b2637aa1b9552e360d9e

SHA1
e2a0cdf8a9fab429cb65550090146b1aff4dacfb

SHA256
8e7b8db9f2b4eaa43641a6409b384c2e9923ee0d2de42866b6cc17b0ff4253b3

SHA512
040cf836cd7ed5be41d9a7bd1401c9266c99aca14b436d0d6d31249e9febd60c669f4190dfce420167c23abe6059baa203aca53bc123bf45041efc0f0683f257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93af2497f963e7dd557ecf9d6b5bf3aa

SHA1
29fe8ec9efdb2cba3a23db52626d3fcef7695b01

SHA256
7935eaed675f4c458f3bbe6a3ac6ed89ff1047443dc494b800dcfecaa8c920b2

SHA512
a0027c38126840070828c0c12105e0677f5a993adf0bd3d7c7c7ba18b58602615d4bc4a45788fa77727a6c59c6e1a7486a6f6cddef41b96864991d3fa88485f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d228fbf06660fa810332a35ab0c2c8e0

SHA1
015678b3c96cf6e2b2f9257b90e65f9650254119

SHA256
f52c9db3813ff547ee920586103a464e28ba492ec3a8991058448b080583c86c

SHA512
9fce6dd96273a6170a6ec360f60fbd16d5fd8992e093eaee1b2c8c9440a291a8c4b45d16b0c2c18d1979a0e6913d345d9d040df73ae0a5723dbc9d3dcd673997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c9f61125af2e970208d157a13ef6390

SHA1
a2e0716623c5224a319e150bbbc564541a6bb75e

SHA256
9b1b0eafdf82290dce2ab2fda9f7fe5539dfab03dc8052e1a55ae5d420b21b29

SHA512
eb57f0cc9d4989ec4ce4b1edf33921b691fa2f03beda07531792c7e2845f29644cc5ecf3bf0bc8ff9f9c9246c650162eebe9cc722fd98656148990a3ba8923a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab08f46fa68ee5e6c0c2fece08d2cb6

SHA1
07cd33dce4b8993c3375658e1116713f020dc6a2

SHA256
e1e7c1c3a04440ad1571563610094d7167afc1154a43d1ee845035a4e925dc1e

SHA512
7a2c4830b2965f49bfa7e75298e5073f714152022a83aee96fc3ec32b5fedf13e98a90f254d78a38aebd18ffd8f7a74a4e44b52d79a7265f761d591c960c5d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222483bff063325f9c90ff54edec2a4e

SHA1
ef9001ef5ed925b1c5a42a86d34ccd65ebdbd68c

SHA256
aee28d95b7883962603041573087bd6ba26dfa7ff266f768c72951823e0e650c

SHA512
cff2eb84edb15696ef70867414fef00105a4c57555c8c115e319653f34473caff35de1a9723128afcf228a4a67252ba49d5a52fa822c761b75fd12b71d19f945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f913944225bda14e526f3cc2ff5152f

SHA1
b76704712989f0ea4392609dfbf8fba3849560c2

SHA256
53fafaa9f3223e766f106d6f91ec4f4a9dc119ac31343d86825db64dce924634

SHA512
bed3501f4a25b94da92dcd468ea2b0ea8c0e48a08e698a732bc86218cacf534eaa5659c9292f8e7d6a9d4051fb75e75bacfdb5349255d5da27e03768cecea013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40d7ec6535d1d0563b1d6105bdb1b035

SHA1
189471e88b24ac09172bd578330c50f3de678217

SHA256
8476c4bc749620d5808838344fd5f0492b1a2280741c094b7e6673f4363912bc

SHA512
82ec3472707a615be17720b52fc02031f525b90f582a1c056e0c3893c68c2bc4e5f93489283448d5db4e28c1c63c7304e713d0b10f810b236dd8fe2555d6cf0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca1322b8fdbd86ebd333ade6770f458

SHA1
e603f412cba75d551a2cbeb94dbe03040d0887d7

SHA256
8bb7074d0fa699c26b1e1f203800c242d0bc7bd1301d5551b07f9189e7e19e7e

SHA512
d5f6754b0af214ac691cf211bb378df63919ac95e0c63dd164afe52f1e6876fe51a0baacc1affa99834999ec6dc7e2816865a021e8a42166afd457aaa16faae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9fd3d18e3aa9352c1fb7cac9662e3b1

SHA1
ee8168fafa745ba13505994689f82411f917ef90

SHA256
71279c10560d441604d0212d67fc8fd85d46c1775b2548a7d536189da92dbeec

SHA512
cf6381e6e8670807c8136b55b2be1dc1b260148a0e7f0d741bdd09615950180b841be9450e321460223f429c9f4a673a1f1a4dbd48aaa42d6cbfd98d59494cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67918081b27d5b86069615474854d2c7

SHA1
45c1438c12f28891abf02c6209368387a8541a5b

SHA256
49dbf4e8af3abe41a187d88db145e9e3abb1682e793cd739f21fc281ef2833b2

SHA512
5f84d3103a0ec465552c10c87fe28f902c3dae6a8ddda8bda0ef9313c82c84f8c1451ea34360555bfb3d1267331710580df693371aee0d0eef9100d315e7f0f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d2a7083290d5b50f12992b02ea094d2

SHA1
0fd50baeac70a6824eacce5b3e8db9cf9a92d822

SHA256
9c3a2875678f8ac4e0e554134c5a01fd04b77b58ce2110c88c49a9f5705dc598

SHA512
41f18739b7c5249890856adc9c12538177a5faedbb6defd8b45578fbea740953f960e6732efa84b9d4c7b40324c657003eb4c584d032d94f52ba0f41ba57ea3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce3e3c41db07efcbb5311317279cf40

SHA1
ff52ff4bd7e41a564f0ca408e7a5a2bf615c707e

SHA256
c870dc6e5e9dff8dbf748113d59beb10e9809f6812d58f1749a3f57af66ba8fb

SHA512
a0646e02cd74202c576154973fdb02fa8535b61dff32247e4d421f06550387a1a23adcb070dfaec3c3abd2cfd0de304207b2d2df29daf9560304af71fc2f495f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd54ace0afef064fdb8f8fbc9f7f83b9

SHA1
3f51c9545b94e6af65df7090788562bd24286cf8

SHA256
8564f02713a731697affa2e890af05cda8b2a2db924ce92699b86766b321401d

SHA512
77480fc5297b86a529b22c141d2cc8db7b07215000ddd7be2002f78a75223c6147551962a4766f5dd87687eec16308762eda08fc9f10a49f9570ae6c86d3f75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b4f73293ade6dfb2213e93f8e8b7f8e

SHA1
4ed8f91c6be14bf19aeb86a75007c045527c8884

SHA256
7bb10be0ba8ff98ec56ad54050bdda429e270a1b5d4a8fd89ac5870c1a23a2bd

SHA512
866555d140760fae0e08bd49b62c8210fc823a56281197b21223493f6e38d6b5f75fca6f400855f5628d9ed5f36ce1c0cd7946835d0443dd59bf3c803cede1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c041002cd084a58d3ef933a9e35a1131

SHA1
50276cea6d5e311a6dcaa9cc5edfa8805cf05bad

SHA256
f039640337ef7ecd7520759503273439d60916c79630357530a84cd00582c8cb

SHA512
29de4c0d8e8407d378bf912493d58ec9e7553e00781834186c9b72b72a661f1f589e00491b9f46bb7edb8576cd4ad4b05730d9d85b51164dd24b9704f681d1b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
611b31b7f2ff2c54f953f5cafc8107a8

SHA1
5d5ba0cdc64ca1d010c480aae6aabd4c5b81d757

SHA256
8a8c7481acc69909bc1b46ed276d55254191e779801e38aebbdc74ba15e9e587

SHA512
ab18c825f174df7b02fd5b4b3ff02a3c8a420a38d1abea9d32ccf596d05d66587c7de4de8cfa21cd7733d94e5a693e5126c3d67f0549510c54b65fb1973092d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5477b0398c6441a17e33a83ad6cfe36c

SHA1
9b759559ac928f3560d7f6e20949ae792d4f66fe

SHA256
283bc7f31d51119eec5379c9e002699d3934b317f612db1274c41c99982e637b

SHA512
d8f13bea49d887c8f7d6fa4160d3f52a99e4ba77bc86a055ba48f5217a89b5126f5d3666b40ec6a9989c1d24b89764daebc77aa4468df375b9c438104be95f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672bb7b3b344bdcbb723aab923fcfe47

SHA1
234ed03748127e751ebe8c832508ef6141e41bbf

SHA256
1359576f7c73bc3085d0b2bb629b5361a928acde59d738e029df0302919de900

SHA512
e1f1f72044a10c169d4f680ab51c5c64ded82036f955c2f9e22ac2c71e8a816819f7d5fc96ba9a04a03d1189a57fcb095cb1b90fa46c2dbc48a41f62a8fae5c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb0c777aa143df312309d2bf70d13e4d

SHA1
92ec887f1a8de429c2319995571dae57084aa2fa

SHA256
5266a74dd6008a4a6b75a90ba5210e84173d980ed53c69979ca5e6ac91517303

SHA512
48b628ca5df0c7b9fc8db96310e5ce77f002328940b95682b332b2a02348dd2c1d1077f6280490943c1c46f40e58d6aa6cb347ab624853d413ae62f9e530b8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
8KB

MD5
2b5f7393f1d536579fd9a5aa9eea8ab2

SHA1
d95bff2d5b04da8db46cd5a225d8eb61f701e236

SHA256
5192fc0e65ebf641ff5ac195c0696034c7f29ebbf0e55459d79215d42640de10

SHA512
3d836f0b1a46dfb004aaab86afc42e5b36163dd41aedca812d5c0c78adfc12c3262686184e1af266069172f9fc73c7107f06036d408aa08588b40bfbf2db59ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\qsml[1].xml

Filesize
480B

MD5
da0d12b2bb44e059ae4194ec7ec52a92

SHA1
0e5c129c56001a5276bbefdbc00b7d924524273a

SHA256
a24ddda9d9f5386000fbd124077e619117df189874c3bf5edc4e07f7295d661a

SHA512
d90643636ff71bfe2ac7a49a9fa9e7898639e328d5bedda8e577db383e7d31c2da4a5154c6f001a34a7a6bc7ef87788ce8055a0dcf31058aacc8cd8f5976886b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\qsml[2].xml

Filesize
472B

MD5
8d3b76ea23eb59c5538bbcdddb570d9c

SHA1
33fdb022f95e3d09e6ceaa667f3707ebedcc464e

SHA256
1ea22ed26515ee1a522da3809110015074599c59cbbc13a05da61c21d805dec7

SHA512
8c7fbfa1850442170eaa21d5c603930e80d986fc488ddd2c61fa53ba2152f65232a89ac69bafa211028b37387f7c0601b8a30e34b72fa4683e46e745f5fec327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar840.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___FS0XHQE_.txt

Filesize
1KB

MD5
3d5ba72f3ac54fb047a948da4b8dc41e

SHA1
a8028ec73d2a0568a99b5006154ac479a023692a

SHA256
16aa775a5a2355ef16565469c5d4920d7605259de78c2d9e04108013170c1dea

SHA512
22b8be3f4ef1ae08a40ec5ff3d59b092f5c6ca50a1a944c274711f1e8906615b1735a25c8daed3c3ed7613e4408784af03889e4fb1fac7ce6146e6f5418caed9

Download Submit
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___SH7AZ_.hta

Filesize
75KB

MD5
468649717eadf7887c65574d9badb9a6

SHA1
e3f3d79e19797206d9d997745f545c5df00b8c51

SHA256
3369a12dc5a1645d0aea1898d1289676e04b30cda1a65b524d726f66d1b7faad

SHA512
457c808daf6364ca8565583050994458065df426a466b2406fd734dc1ffa2f99dd902baf2ad67d5128d03e42f68559ed3734d02f383622e8188fe2b7029ac442

Download Submit
memory/2104-0-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2104-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download