Analysis
-
max time kernel
90s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 04:23
General
-
Target
Fynix New.exe
-
Size
37KB
-
MD5
3c1c9247d726d5ac8bdfed308978d70b
-
SHA1
a5b9431287a994b3a3db35bf87f945cf47db8b0e
-
SHA256
a966d97e4077b0f97ddb24841c7ca64a277aeee118cc89c8723c65cfd4c632c4
-
SHA512
a89e0956e03374adddde0bf4257c5688c15a2b1070b92ee863c9ca1906ad9ca304be207a3512c06cdad1d136d968e08dceb0b8a71571d6b30a47d6140c684ef7
-
SSDEEP
768:QiHg6DtKhGXmn4VaoOpwPF6eYajDsdPl:QiRtmGXxV9iP
Malware Config
Extracted
xworm
127.0.0.1:31491
european-influence.gl.at.ply.gg:31491:31491
european-influence.gl.at.ply.gg:31491
-
Install_directory
%Userprofile%
-
install_file
Update.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 35 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 10 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fynix New.exe"C:\Users\Admin\AppData\Local\Temp\Fynix New.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Rwn3gEbrUK2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffd85d146f8,0x7ffd85d14708,0x7ffd85d147183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3436 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4232 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,6379468817075196327,8683416869905512200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c notepad license_check.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad license_check.txt3⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Fynix New.exe"C:\Users\Admin\AppData\Local\Temp\Fynix New.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\EXE9B51.tmp"C:\Users\Admin\AppData\Local\Temp\EXE9B51.tmp"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EXE9B51.tmp"C:\Users\Admin\AppData\Local\Temp\EXE9B51.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "taskmgr.exe"5⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3624"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36245⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3976"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 39765⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1436"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14365⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4792"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47925⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46405⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2632"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26325⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2316"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23165⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5384"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 53845⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5392"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 53925⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
-
C:\Windows\system32\chcp.comchcp6⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"4⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"4⤵
- Network Service Discovery
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
-
-
C:\Windows\system32\net.exenet user5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵
-
-
-
C:\Windows\system32\query.exequery user5⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
-
-
C:\Windows\system32\net.exenet user guest5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
- Network Service Discovery
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EXEFE42.tmp"C:\Users\Admin\AppData\Local\Temp\EXEFE42.tmp"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
2System Information Discovery
6System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
480B
MD5c0d00a4f7a4837d585a13fcf18604a59
SHA1863ccc7ac65bc35fbe04d9f32e70131149d1d8be
SHA256fc42b026ad59d5272e96108125810fb43c09625ccc27ebca74eedc6997fce76c
SHA512ff2f9875ce0b99351a8ab378a0a93ed92882f835054a20eaf7e67dc02d65113ad32c861ddcfe5eb36ad1bce0b0bb55589ef543a246fe3c02decd1e103c38100f
-
Filesize
6KB
MD58f4a349fc0fd589a2ff87471b6fcf180
SHA1fc7a09bc276e5cdedd35f339df5e70721a20bdf0
SHA256e3c1d873950c1728e8bd67049b6844bde8944cdf84a4be045d1cce9ac306c999
SHA5122d4b7dd3afe8eb348b94c987b4b63aef929c436af23c640f599185ee80bd14f196dcb3513f905004707d888709330019e4506892716c125025da5a48f0e10621
-
Filesize
5KB
MD561e2d1e53ab5f270b3c532a6cb4da7f6
SHA119cf52872e28578b1f9d75e8a169a130555a71ba
SHA256061e13e155f72b218c4d57c6bb0f0a6fbb6181b9e63c9ea6d8156fc9b7dc336c
SHA5122bb480c3b1da9bfc3e9eb9bdaae59607e59f0f14a5cab13bb6b98aab1101d41649887c4d0aab873be05f38a9810e6781712d5a6d9eb88519321473e94f8bad46
-
Filesize
6KB
MD5ff907ef0b73fe8a34e4bfc0c3f4fd771
SHA155ea717b781c814d68f756ebac7cc917d5e4a489
SHA2561a69be235e4568b5403421633b56ace2948f392b9c3c880068ba96c77c52f535
SHA5127af3c881144fb360b6fc7f551afe9a465cb355ec03e4a958c7800b0e326e07e201ac02f1befba850874ca259f0c7e5cf51cc1b60414d1fb90cb77d035641acee
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD598fbf6e840e67e1f075bfb38caee7a0c
SHA19580fd456c38d208bc8a1dda767e30d12a887ead
SHA256c25fb4881aa8dd01e68ef2ba010e498a99821a250051f1aa3b5c0b01f267acd0
SHA512647bdc3edfa6018771a315c45ce28580587a3b81217377f593c25b5afc15966b3ac6bd0e793dc15721a911bd91fce9aa01d8c11372f27bc7781a366220a6a878
-
Filesize
11KB
MD51bbda61ec71a24a7f7554900b788abf9
SHA1af0bb12f2f9dcaaf462c39effad56fc48250e4b0
SHA256d2bce9e77810d94f38253263560155b8c48e4dce45dc7da54ef598fe44195b7f
SHA5124d718698946f4d7ab70ecb8f1fa06d6b8799e81a6282fdaa38e15d98b7c8ea523628cd42167db506f7768955257c2fd7b8d10b6927ea2bc8539e6fb1d171bae3
-
Filesize
9.5MB
MD5aecb2c382b2181620aa3243dcbca51c8
SHA19b103aa29dd1f39b7bb6261703f144bfdfa4a06e
SHA2566b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce
SHA512ccc1f0cb5a5db4f65a5f1a21741f4c29784061f6f3da512e14b0cfcef9d949f6f414a61c3f792cb55d2e8196b8bef51b099abdab29db7948e38864a9c28f731d
-
Filesize
94KB
MD5a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
Filesize
31KB
MD514709a8f2cc2e00fac56ff0437f72bc2
SHA108cc3f10280fdaa31d2a02c9176fbd6b730a446c
SHA256a4f7a2296c0989452d542789637c4dd66cffc7995fcef0e924804588daa74251
SHA512db7e00725ac035e0db9c9c625429d032e4260285237e22914ad71d29d4a6437390649b0a034ae20e8e9d69b35c58c928d06d45653a77e99967dc86215e4401b8
-
Filesize
43KB
MD52d1c4d692cd8184038222aad2f54751b
SHA1f36153cc210ff9e33c0d9cfbb9905d9c6772c43b
SHA256fd3ddc5129a4d8b4c27aa60b42ada66ba505abc8cf9639cf95e1525cf4732b98
SHA512bc0463a4832858bac6ee54328afd534191531a307e7fe390a35b48e36517c148dbc41c5fc44dc639f49cbbb59b9ceeb9d9d53bcc9c19454d99869ee648668c1b
-
Filesize
71KB
MD57727212e7bdbf63b1a39fb7faad24265
SHA1a8fdec19d6690081b2bf55247e8e17657a68ac97
SHA256b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c
SHA5122b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a
-
Filesize
54KB
MD5ef1217909e473e7550d4e0f8649e9899
SHA152489ac45202525c3757741015376806da73131a
SHA2566c5f213cee7f1ede6f5ec7ffc7102b2e777e9a19eb21e795bcd0ba6de1f49489
SHA512e62ae850e3be398bf2d91269a5958c2c6aede111e58876675a04a343a927d1df306cef559a34b19d9f88edbc4ee7cdaca31d6b0c72eb388c93be6bd017058d28
-
Filesize
101KB
MD543962d46dce863e51863783fb186a449
SHA16f62af15b738d38ac333d477f840284627ec8849
SHA256bbe1500c272c8452c63520326683fcd48aa184c0a4f41ed56ac08278ef5dd3da
SHA5127d7591fce56eeac924c6bff06118a0f0da951133ec8192696832e03e4cdeb22242d8d5a103c330e47c358743b75929a82cc833d3be51f53540d7c970ccb594f0
-
Filesize
31KB
MD54aca251f62eb58043ebddb2f7e6723f0
SHA13f5cfd347f16c9cff5bc95b26d3081031a71ad85
SHA25604cc829af7271a9b50cd03d59860e0e12f146d0dd2e16d51cd3e6f8b7f6af45e
SHA5120e1e97fbd6fac6b2aa0655d08c5db888e3ec5e34abf33ce8741ab875b424ede4619387ce612b71ff273f0977daa535d1b33e3856b124a11cc3999e8715b139f7
-
Filesize
81KB
MD5672c40c864ab29141a573f778d57d1a2
SHA1bc9443654f593163d02ccdb790c17ae8bcea9c04
SHA2568cf7d39be3f91971b1f8fc88a0e320edb720e0e61d26a32b56bbebe3fe23e485
SHA512fb60de107c049d9b4dcfae5b13e56cbf080e736fa69c92291b7f4abf838eee2a62d940b0b2b69cc60a650bdd127fff8bf305cdb220592c5a0132953546b14084
-
Filesize
22KB
MD5d6d33072072f7f9fe1ad69846d2d99cb
SHA172089a7b0c42798a3c997054d99bf63a36361589
SHA256803ad62cbc5834b59dc3ccd44e8b71b5a6dedcdd8fcd8bd13b3cfeab765721b7
SHA5120c82744221a3e392c736c2b3d97e1577316279dddb587f71457cfe101be205cb52e871a28fdc8a485c0a2474a4515e5479ffd3638e590fa18142c3248112a670
-
Filesize
27KB
MD528ea417bf25b472c909cf63462ba9ef4
SHA1c3754cb23bbec72151ba79f7fcd9b6b9a63b2694
SHA2568cb8f65f1cc6717e85da97bef42ef61aa644a5c5bcfc6c23fed893d24b9ade06
SHA512abb995f6f0e72face46619c282a555b0175e3b05c750c9637b0f4fba3f2f2dfa9f7ed5e53443a7547dae34ba67989d80f29a8200fa1116291c949a6be7cd06fc
-
Filesize
21KB
MD5882e18ba4edba5c3343eaf69de9ef0d2
SHA142d979b4367401a8da471938e51d9d8b8f21fbdb
SHA25635b72ef1546f5c99ec7655439d946d21049c1af1a8b04d43dd75905d07bd3d9c
SHA512a005717f087f0650c1f8f7f446e8cbd6c89a4ffe486957eac62abb649ac52767a27506a02fed4a039c7347e24d1d13b02883432f7d00eed92be50b36dba11ed6
-
Filesize
38KB
MD5c393807c2b4db1ef035c35d44ee7e27e
SHA12035ae4199cb87f87c21a170dff6094cccac789e
SHA256f9f87f9e233a83f00b59e4b20c3ef5cdc4c8256f1fbf8d6cbc3a8619a5d31161
SHA512df30349a031d47bcd2a2324067364fc04c57ec55c3014beeec325cf3f19b88ac36a1c120b9b3833011f7dea3a7a8461e8ed847e104cfa786df1ff0404c324394
-
Filesize
45KB
MD566bdd61d103f7408b39ed0689a736fcf
SHA1bf64187823af7e17df7ffb6d022d6c55529b5019
SHA256457c828ed5dc483d90525aec78dcf58a63ac59b1e985192fa812884ef6da85d2
SHA5125dae18d8ad419c582c6a362f076519c52286da89b98be296bcf1a1af46706790d479fa76d72f0760f349b4941b1811bdc5cbc3c6bffafec190d28f97442e989f
-
Filesize
58KB
MD542146db5647f8a00358473acee48fddc
SHA1be45224db1ed10e238eae50d1b4f9d3fef40c698
SHA2567b2d9490dfecfaf918d3eeb5d8f242eff1c3de6609d414bb3c318859d2a6717c
SHA5121e522b661bd20f8f878e6f2e2f9bf6868048dc752d596162a3ba1c6283a76ec60f3f1cd792e1e670fcd5a9ab57cfcf9d5f11b257f44e68f9dc42df81b6c2a60d
-
Filesize
19KB
MD57c7db8c81f5f26cf1a795254f4cfba81
SHA10575708630b0f8917e80285d065dcf27f5642307
SHA256e23fd6254aceb83c12bdaaa477b3777cc84ffd057dcd86de5ba15bbb94d3b321
SHA512c7481f6a7ea6eb343a5a1f98e8040c8018a26b32b5c08b0c11d00e68e0c77f800421d147998b24e24821913d274b3dff36b14a2140fb3deb4649cbb50bc3a561
-
Filesize
858KB
MD5789d288a8a4bd999b71846b020bb425c
SHA1a4a4c52092ff8cfaa10e05fab0c879009bd0395e
SHA256215e363d87855bf45206a8f8b5510227930422829842e7f0a41fdd0bf7cb5cdc
SHA51295ab7d80b37059ad6aa19b66568e1240a5825d770300846a635bd57b2579b06413a370db2053445973f36ef8dcd4bfe8e2e52fbd65a8db59b48641854c49ff65
-
Filesize
1.1MB
MD55e999bc10636935a56a26b623718d4be
SHA1378622eb481006983f14607fdce99641d161f244
SHA25635460fc9fd3bac20826a5bd7608cbe71822ac172e014a6b0e0693bd1b6e255c1
SHA512d28ecc0f001b91c06fe4572ad18eb49cb0c81c2b3496725d69f6f82eccd992047ecd5819e05e4f7bf786904b6c2e5d68fecc629fa50425a7d7abd9fe33c0052a
-
Filesize
23KB
MD5d50ebf567149ead9d88933561cb87d09
SHA1171df40e4187ebbfdf9aa1d76a33f769fb8a35ed
SHA2566aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af
SHA5127bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de
-
Filesize
200KB
MD58d8d9c30250f7042d25d73b9822efc45
SHA1f6b83a793175e77f6e8a6add37204115da8cb319
SHA25692bf5bdc30c53d52ab53b4f51e5f36f5b8be1235e7929590a9fddc86819dba1d
SHA512ed40078d289b4293f4e22396f5b7d3016daec76a4406444ccd0a8b33d9c939a6f3274b4028b1c85914b32e69fc00c50ec9a710738746c9ee9962f86d99455bdf
-
Filesize
20KB
MD57f691747ce66d3ed05a7c2c53220c8b5
SHA11d3f247042030cf8cf7c859002941beba5d15776
SHA2567d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228
SHA512b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06
-
Filesize
82KB
MD513dab8a6ef861842f835940ac87a9204
SHA1b1d0b8d080a83f11467ef23a487a2b140c5b4325
SHA25657a561945943de9d06ed0a8c16699d0e28d38ec696a354fe8735a3de6518ec0b
SHA51212a020130711bd17a2a1c12beaeb239040ec17a6742382546e044155a57736bfbb8fd95d30d08fd5b52bc4488cadc149708b253006b4c2ca26f84266869fa64a
-
Filesize
60KB
MD5f5cb0f83f8a825d4bedcddae9d730804
SHA107385f55b69660b8abc197cfab7580072da320ea
SHA256a62a9c7966cf614b3083740dc856ca9a1151ddcc0b110ebc3494799511ed392b
SHA5122bfa35eb4b8fff821b4504eccad94ed8591ef42e0cdb39a18458395789508b4d2da76f0de3708d963c3187b8b1ced66b37c66834f17eeca0ceb45a62b3a69974
-
Filesize
1.4MB
MD50ff261eaec9b2a95d5a42dd14b3ebd06
SHA1eaca11a8495d1d82754eea1d370db66beee5531a
SHA256d83d45dba2dc176107a17dc5efe8c136cab3bacdbb42426805c1a36d78242ff3
SHA51204ab60e90babbf53001ccc4ffd7e979ff450b232cbf1221731ecbe21cab0bee4a42c9ff6a53a5973f89b48085f797384a8d1218f34c48149c7b7d572fd8bf663
-
Filesize
21KB
MD5f6ccbb8579c0a2d3ab65f62546ab9549
SHA19c441a78b771bd591a73ab27c6ae4a514ed356b6
SHA256ce958b7855d3c85127a8971cc4d9c79611402ae1e05ad6b22147e9fe084dbb08
SHA51204a0ceaccce5010d233d2508e09af531761cfe1cf2a55e531966c06bfcf4e4936b139cd9158b7ba680b795bd64a5e83d198c18a00f33771e3dc3a73008851cae
-
Filesize
611KB
MD502ffe8fbaca3a8e908615c557f4dfae3
SHA161dacefbc236c99cb904ed05627eeed4fb5ab74d
SHA25680943701e464891c4b7c9342ca3d6d8aa8d8125617c3e72c082c3ff8783f9130
SHA5121e87843f844d4b85d688b2aad049e941945a7e7c7d6778982bf8fac1e8d0fec33e63344a231a243d8c1e69c769cef382b39311cf03ecc0732cd6fceafe2952f6
-
Filesize
285KB
MD5135c7cddd0c42150dcca589716c5a20b
SHA11546e9064cfb4ab16cd8849e06bb14e613e5ca89
SHA256eb6b2821c9b5d4421554878c6b8cbd96ed4a23cb878ff159b37c2ddd22e43bee
SHA5122921538faf85ced9dc6715865958e208bfc88e7135d5009c1d648ca4a8b3adcd548f704a783bad62a2ad1020f8e0859efc664afed3c326afc8ded484ea907ef7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18B
MD5fc5c5a9abde6454f2edaef416b1d0f04
SHA13c7bdec965fd559fab85d9ed71cc8317049370ab
SHA256fb5ff5a9c274890fa6247c2418cf204cf600f8e898fedb6f51cf44dcbefe7f06
SHA51225efd1b9fd1091cda7dd5e6ed380dac00f4880249e5a5cbb96d1447bb566672c6be26fa1a33365c47a2ba21ee3fffafada7f35cd97c72b7ace119adc5ed64e43
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
3.5MB
-
Filesize
144KB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
4.4MB
-
Filesize
3.5MB
-
Filesize
732KB
-
Filesize
64KB
-
Filesize
84KB
-
Filesize
80KB
-
Filesize
100KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
1.1MB
-
Filesize
108KB
-
Filesize
1.4MB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
80KB
-
Filesize
308KB
-
Filesize
100KB
-
Filesize
732KB
-
Filesize
88KB
-
Filesize
3.5MB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
84KB
-
Filesize
7.5MB
-
Filesize
136KB
-
Filesize
220KB
-
Filesize
1.1MB
-
Filesize
88KB
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
4.4MB
-
Filesize
308KB
-
Filesize
68KB
-
Filesize
52KB
-
Filesize
96KB
-
Filesize
176KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
1.4MB
-
Filesize
60KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
40KB
-
Filesize
3.5MB
-
Filesize
120KB
-
Filesize
52KB
-
Filesize
220KB
-
Filesize
308KB
-
Filesize
100KB
-
Filesize
80KB
-
Filesize
732KB
-
Filesize
184KB
-
Filesize
4.4MB
-
Filesize
120KB
-
Filesize
144KB
-
Filesize
7.5MB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
4.4MB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
52KB
-
Filesize
220KB
-
Filesize
7.5MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
3.5MB
-
Filesize
88KB
-
Filesize
108KB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
4.4MB
-
Filesize
80KB
-
Filesize
100KB
-
Filesize
732KB
-
Filesize
96KB
-
Filesize
176KB
-
Filesize
120KB
-
Filesize
1.4MB
-
Filesize
52KB
-
Filesize
84KB
-
Filesize
60KB
-
Filesize
144KB
-
Filesize
308KB
-
Filesize
136KB