d7786d0316fa7aa5d48edc33476e97ce3ff0d463e4ac141d3d47d25b1584cffe

Analysis

max time kernel
92s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

115.2MB
MD5

8c228cbff338e4fce405636406d88b73
SHA1

ffc8da3b1ca026c1e471465a6af520e1f02fb243
SHA256

d7786d0316fa7aa5d48edc33476e97ce3ff0d463e4ac141d3d47d25b1584cffe
SHA512

ae34eb223d9e4c69cadf82c4002af202f292e8bb239b45878561cf896ad26a9de1656b10792d06900e576539efbf395a1da3bf28801476208564ee651b898927
SSDEEP

3145728:BrLkzsBKO56AEUsW3crNECYjcgi91VAnr2+KJ:2zs867sW7c5hAbk

Score

8^/10

credential_access discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4972	powershell.exe
540	powershell.exe
2012	powershell.exe
4872	powershell.exe
4896	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	bound.exe
4508	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe
2372	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
18	ip-api.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4548	tasklist.exe
392	tasklist.exe
2960	tasklist.exe
4480	tasklist.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c5a-64.dat	upx
behavioral2/memory/2372-68-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp	upx
behavioral2/files/0x0009000000023ba5-71.dat	upx
behavioral2/memory/2372-73-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp	upx
behavioral2/files/0x0007000000023c58-72.dat	upx
behavioral2/memory/2372-114-0x00007FFF20670000-0x00007FFF2067F000-memory.dmp	upx
behavioral2/files/0x0007000000023c57-117.dat	upx
behavioral2/files/0x0008000000023baf-128.dat	upx
behavioral2/files/0x0008000000023bac-127.dat	upx
behavioral2/files/0x000e000000023baa-126.dat	upx
behavioral2/files/0x0009000000023ba6-125.dat	upx
behavioral2/files/0x0009000000023ba4-124.dat	upx
behavioral2/files/0x0007000000023c60-123.dat	upx
behavioral2/files/0x0007000000023c5e-122.dat	upx
behavioral2/files/0x0007000000023c5d-121.dat	upx
behavioral2/files/0x0007000000023c59-118.dat	upx
behavioral2/memory/2372-133-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp	upx
behavioral2/memory/2372-134-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp	upx
behavioral2/memory/2372-135-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp	upx
behavioral2/memory/2372-136-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp	upx
behavioral2/memory/2372-138-0x00007FFF1C7A0000-0x00007FFF1C7AD000-memory.dmp	upx
behavioral2/memory/2372-137-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp	upx
behavioral2/memory/2372-142-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp	upx
behavioral2/memory/2372-141-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp	upx
behavioral2/memory/2372-140-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp	upx
behavioral2/memory/2372-139-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp	upx
behavioral2/memory/2372-143-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp	upx
behavioral2/memory/2372-145-0x00007FFF1C760000-0x00007FFF1C76D000-memory.dmp	upx
behavioral2/memory/2372-144-0x00007FFF1C700000-0x00007FFF1C715000-memory.dmp	upx
behavioral2/memory/2372-146-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp	upx
behavioral2/memory/2372-149-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp	upx
behavioral2/memory/2372-176-0x00007FFF0C4E0000-0x00007FFF0C5F8000-memory.dmp	upx
behavioral2/memory/2372-175-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp	upx
behavioral2/memory/2372-187-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp	upx
behavioral2/memory/2372-200-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp	upx
behavioral2/memory/2372-216-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp	upx
behavioral2/memory/2372-215-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp	upx
behavioral2/memory/2372-227-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp	upx
behavioral2/memory/2372-241-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp	upx
behavioral2/memory/2372-257-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp	upx
behavioral2/memory/2372-269-0x00007FFF0C4E0000-0x00007FFF0C5F8000-memory.dmp	upx
behavioral2/memory/2372-268-0x00007FFF1C760000-0x00007FFF1C76D000-memory.dmp	upx
behavioral2/memory/2372-267-0x00007FFF1C700000-0x00007FFF1C715000-memory.dmp	upx
behavioral2/memory/2372-266-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp	upx
behavioral2/memory/2372-265-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp	upx
behavioral2/memory/2372-264-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp	upx
behavioral2/memory/2372-263-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp	upx
behavioral2/memory/2372-262-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp	upx
behavioral2/memory/2372-261-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp	upx
behavioral2/memory/2372-260-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp	upx
behavioral2/memory/2372-259-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp	upx
behavioral2/memory/2372-258-0x00007FFF20670000-0x00007FFF2067F000-memory.dmp	upx
behavioral2/memory/2372-256-0x00007FFF1C7A0000-0x00007FFF1C7AD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2012	WMIC.exe
2820	WMIC.exe
2356	WMIC.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4872	powershell.exe
2012	powershell.exe
4872	powershell.exe
2012	powershell.exe
4972	powershell.exe
4972	powershell.exe
540	powershell.exe
540	powershell.exe
4896	powershell.exe
4896	powershell.exe
2928	powershell.exe
2928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	4548	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3784	WMIC.exe
Token: SeSecurityPrivilege	3784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3784	WMIC.exe
Token: SeLoadDriverPrivilege	3784	WMIC.exe
Token: SeSystemProfilePrivilege	3784	WMIC.exe
Token: SeSystemtimePrivilege	3784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3784	WMIC.exe
Token: SeCreatePagefilePrivilege	3784	WMIC.exe
Token: SeBackupPrivilege	3784	WMIC.exe
Token: SeRestorePrivilege	3784	WMIC.exe
Token: SeShutdownPrivilege	3784	WMIC.exe
Token: SeDebugPrivilege	3784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3784	WMIC.exe
Token: SeRemoteShutdownPrivilege	3784	WMIC.exe
Token: SeUndockPrivilege	3784	WMIC.exe
Token: SeManageVolumePrivilege	3784	WMIC.exe
Token: 33	3784	WMIC.exe
Token: 34	3784	WMIC.exe
Token: 35	3784	WMIC.exe
Token: 36	3784	WMIC.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeIncreaseQuotaPrivilege	3784	WMIC.exe
Token: SeSecurityPrivilege	3784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3784	WMIC.exe
Token: SeLoadDriverPrivilege	3784	WMIC.exe
Token: SeSystemProfilePrivilege	3784	WMIC.exe
Token: SeSystemtimePrivilege	3784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3784	WMIC.exe
Token: SeCreatePagefilePrivilege	3784	WMIC.exe
Token: SeBackupPrivilege	3784	WMIC.exe
Token: SeRestorePrivilege	3784	WMIC.exe
Token: SeShutdownPrivilege	3784	WMIC.exe
Token: SeDebugPrivilege	3784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3784	WMIC.exe
Token: SeRemoteShutdownPrivilege	3784	WMIC.exe
Token: SeUndockPrivilege	3784	WMIC.exe
Token: SeManageVolumePrivilege	3784	WMIC.exe
Token: 33	3784	WMIC.exe
Token: 34	3784	WMIC.exe
Token: 35	3784	WMIC.exe
Token: 36	3784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemProfilePrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeProfSingleProcessPrivilege	2820	WMIC.exe
Token: SeIncBasePriorityPrivilege	2820	WMIC.exe
Token: SeCreatePagefilePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeDebugPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe
Token: SeRemoteShutdownPrivilege	2820	WMIC.exe
Token: SeUndockPrivilege	2820	WMIC.exe
Token: SeManageVolumePrivilege	2820	WMIC.exe
Token: 33	2820	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2372	524	Built.exe	84
PID 524 wrote to memory of 2372	524	Built.exe	84
PID 2372 wrote to memory of 4204	2372	Built.exe	85
PID 2372 wrote to memory of 4204	2372	Built.exe	85
PID 2372 wrote to memory of 1128	2372	Built.exe	86
PID 2372 wrote to memory of 1128	2372	Built.exe	86
PID 4204 wrote to memory of 2012	4204	cmd.exe	89
PID 4204 wrote to memory of 2012	4204	cmd.exe	89
PID 1128 wrote to memory of 4872	1128	cmd.exe	90
PID 1128 wrote to memory of 4872	1128	cmd.exe	90
PID 2372 wrote to memory of 2052	2372	Built.exe	91
PID 2372 wrote to memory of 2052	2372	Built.exe	91
PID 2372 wrote to memory of 1448	2372	Built.exe	92
PID 2372 wrote to memory of 1448	2372	Built.exe	92
PID 2372 wrote to memory of 4744	2372	Built.exe	95
PID 2372 wrote to memory of 4744	2372	Built.exe	95
PID 4744 wrote to memory of 4548	4744	cmd.exe	96
PID 4744 wrote to memory of 4548	4744	cmd.exe	96
PID 2372 wrote to memory of 3748	2372	Built.exe	97
PID 2372 wrote to memory of 3748	2372	Built.exe	97
PID 3748 wrote to memory of 3784	3748	cmd.exe	98
PID 3748 wrote to memory of 3784	3748	cmd.exe	98
PID 2052 wrote to memory of 4972	2052	cmd.exe	99
PID 2052 wrote to memory of 4972	2052	cmd.exe	99
PID 2372 wrote to memory of 3000	2372	Built.exe	102
PID 2372 wrote to memory of 3000	2372	Built.exe	102
PID 3000 wrote to memory of 5044	3000	cmd.exe	103
PID 3000 wrote to memory of 5044	3000	cmd.exe	103
PID 2372 wrote to memory of 4928	2372	Built.exe	104
PID 2372 wrote to memory of 4928	2372	Built.exe	104
PID 4928 wrote to memory of 3620	4928	cmd.exe	105
PID 4928 wrote to memory of 3620	4928	cmd.exe	105
PID 2372 wrote to memory of 3964	2372	Built.exe	106
PID 2372 wrote to memory of 3964	2372	Built.exe	106
PID 3964 wrote to memory of 2820	3964	cmd.exe	107
PID 3964 wrote to memory of 2820	3964	cmd.exe	107
PID 1448 wrote to memory of 2764	1448	cmd.exe	101
PID 1448 wrote to memory of 2764	1448	cmd.exe	101
PID 2372 wrote to memory of 1800	2372	Built.exe	108
PID 2372 wrote to memory of 1800	2372	Built.exe	108
PID 1800 wrote to memory of 2356	1800	cmd.exe	109
PID 1800 wrote to memory of 2356	1800	cmd.exe	109
PID 2372 wrote to memory of 4640	2372	Built.exe	110
PID 2372 wrote to memory of 4640	2372	Built.exe	110
PID 4640 wrote to memory of 540	4640	cmd.exe	112
PID 4640 wrote to memory of 540	4640	cmd.exe	112
PID 2372 wrote to memory of 1576	2372	Built.exe	113
PID 2372 wrote to memory of 1576	2372	Built.exe	113
PID 2372 wrote to memory of 648	2372	Built.exe	114
PID 2372 wrote to memory of 648	2372	Built.exe	114
PID 1576 wrote to memory of 2960	1576	cmd.exe	115
PID 1576 wrote to memory of 2960	1576	cmd.exe	115
PID 648 wrote to memory of 392	648	cmd.exe	116
PID 648 wrote to memory of 392	648	cmd.exe	116
PID 2372 wrote to memory of 1116	2372	Built.exe	117
PID 2372 wrote to memory of 1116	2372	Built.exe	117
PID 1116 wrote to memory of 2836	1116	cmd.exe	118
PID 1116 wrote to memory of 2836	1116	cmd.exe	118
PID 2372 wrote to memory of 3252	2372	Built.exe	119
PID 2372 wrote to memory of 3252	2372	Built.exe	119
PID 3252 wrote to memory of 788	3252	cmd.exe	120
PID 3252 wrote to memory of 788	3252	cmd.exe	120
PID 2372 wrote to memory of 3128	2372	Built.exe	121
PID 2372 wrote to memory of 3128	2372	Built.exe	121

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
664	attrib.exe
788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3128
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:216
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5242\rar.exe a -r -hp"B" "C:\Users\Admin\AppData\Local\Temp\GjjqX.zip" *"
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5242\rar.exe a -r -hp"B" "C:\Users\Admin\AppData\Local\Temp\GjjqX.zip" *
      4⤵
      Executes dropped EXE
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI5242\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_ctypes.pyd

Filesize
58KB

MD5
31859b9a99a29127c4236968b87dbcbb

SHA1
29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5

SHA256
644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713

SHA512
fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_lzma.pyd

Filesize
85KB

MD5
864b22495372fa4d8b18e1c535962ae2

SHA1
8cfaee73b7690b9731303199e3ed187b1c046a85

SHA256
fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f

SHA512
9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\_queue.pyd

Filesize
25KB

MD5
bebc7743e8af7a812908fcb4cdd39168

SHA1
00e9056e76c3f9b2a9baba683eaa52ecfa367edb

SHA256
cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc

SHA512
c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9313c86e7bae859f0174a1c8b6aba58b

SHA1
dce67fd1da5da8dc4ba406c544e55a83d6536cc9

SHA256
af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3

SHA512
2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
854458ad55c39a9dfd1e350a51be02b8

SHA1
5013cf58de5a0b55e026ace967e9842b3b131c2a

SHA256
f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef

SHA512
faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
7ad2034acd0f296fe9eed320e5ad7591

SHA1
fe1b217e3f4567905968f7a3d48a7611e3cf3f7b

SHA256
0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4

SHA512
06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
12ea48ce605ebb204a21ae7d86db3417

SHA1
5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66

SHA256
189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c

SHA512
39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
201ff3cd2ffe7d222f46574d4ac40a70

SHA1
b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6

SHA256
b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a

SHA512
3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
4b328f140a3ae7fedb21ca50cc23d938

SHA1
9e71b4c2cf030a644d2050188c4b77e638c0ee14

SHA256
e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345

SHA512
4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4a060eec454c222a5381cd359dc00b81

SHA1
21e1bc115d04a74779e955ea16a16bd71454d9bb

SHA256
e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

SHA512
16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
4166d703abc9c6de65d5b269d3a5425e

SHA1
16bcd7191312b94bdf38368d188e5a5cc479a36c

SHA256
0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056

SHA512
f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
993b5bc35dac959bed58b77fe42ac77a

SHA1
2abad159cbab86ff423d6446143427daab751366

SHA256
b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b

SHA512
ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
0b65672b91c6a12d769dd777f810b149

SHA1
2d527b45dcbe653a91e10365891c7e589f5e51e0

SHA256
c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e

SHA512
f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
259b4186004bb41e706dd781e29f5c5b

SHA1
85751d31fe233ed51c46466f214f497d01be8d87

SHA256
b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f

SHA512
f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
4c26932f8f1f490017add31f5ec0a533

SHA1
0da01a7c89b506fe3fd939344bb51b976efb3207

SHA256
dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

SHA512
eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
41e0b7cb0eecba317cf321b1ada084d7

SHA1
4ce1f13188fc00eb29c726717eae489c524c1c8a

SHA256
db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383

SHA512
f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
7e751952f122f4e8be1317087dc9dc71

SHA1
f65884c8cfbb8ad565b3df3a51af11b1617c7092

SHA256
d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799

SHA512
960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
6d0762a2ba4263d0901ca7aaa0725c0c

SHA1
e36d2d049116bd2d84121cdfa179098ac03650b4

SHA256
2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805

SHA512
94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
abaabc1df36c7a0674f20fb83247fd71

SHA1
345db0ffea0cb2531b79d464ad69347ac71ee2b9

SHA256
ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a

SHA512
7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
a6776c201baae1dd6f88048d7747d14c

SHA1
646119d2e440e6dad0ffb0fe449ab4fc27f09fbe

SHA256
ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112

SHA512
a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
fb731a1f96c9e34347cba5bb18e54581

SHA1
88a62edfbbd806b1043b4a1266c4708e1d47be1d

SHA256
c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e

SHA512
be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
8aad6a3a2fe9052ef218d5c8ce1995e1

SHA1
33748750e57cdc165fcdd186ae53003649607221

SHA256
e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4

SHA512
841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2ebacbbda70b888b1bcc5e816d14f3a2

SHA1
ebf1763b0cee267040312deccb3dad61af1b9cf4

SHA256
96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304

SHA512
af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
87c57eddf837c1e7aaaddb451d3d981e

SHA1
5287af84ca9cdfa928355c3c899a43051169a2fd

SHA256
e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44

SHA512
0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
2914ea20c9b8d79b1e98ea6b6dd85450

SHA1
2e25617bb4f3f6391658b5778f5248d9e6762c6b

SHA256
047d09b49dae9a101eb55277aa37c31390ea6c7187379b448122d77bd77bf005

SHA512
c0731aaecbca9b70151e7630e0dbc7d744d534effe56ad703df881f09c7820cb143873dbf95d57357d51be44d53a3b9862d0c6483ca6c70aad01a3f11350abc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
e496d42d228b5e90c7b96350dbb1159c

SHA1
746ba35a931e05aebda957608a6e28c1699237aa

SHA256
1ff617fb9d681551fb456aabaae078c0ac7f96580ac1144ea441826a6d98caef

SHA512
ce555cb7fc0625d7568b002306e203e013f03127aad7383ce26774cb1f1fa820f5fa6145dc9f5930b4d0791631bdbce2ee2e4ee3efa7720b1b2c413ff782e197

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
10d466341e7ece8cf75b5d026105741b

SHA1
31d1e9b9a4511156695b5aa33d65b6a36f8139c2

SHA256
5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82

SHA512
8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
8222b0f8bcf884433a55996253963a96

SHA1
35914b003bbe6527e2479d7f897024915821500f

SHA256
7f18dc2971d15434bfe03c4842dced10b466e849d782a1c8e398d96c2e2b12e2

SHA512
5e67b25af8a1f23450cf8807135fea1ec39dfe8ff7cd3858e492ae9e016a23967ed6009da8868cd9dc87d583c3b7e6fb66d00bd48a7bba6b0eea638716514cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
5bc2660d94760af50f96b1999de6cfab

SHA1
75dec9b15bf9181f0e8015992b678bac718d8c0b

SHA256
03bebf73df97beed5da608cae73324df2aaec092277d53ce8c119031cf8e21fd

SHA512
7e9c67b5e46b35ba3f733110cf7fe35ac9dc1b41a4f7633180cd69631d1b82bcac99f8b94b6f36a373f72bc4fd7eeaac21a8fb51830914a32e19d738208ca636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
4bb011d3e58e958e94ca23ae05a8e958

SHA1
741af22136c1d6dce03c75c68e977c05d76ac027

SHA256
06b0fd7e6d7cbe35177af8fc17863f247bd5caee64543e3a9a125253d51af777

SHA512
07668515aa4099c390ce30ef3415e412113483da792d7cd02bb3ddce561719e808d6be81b90d599f4a7fa50ba27382c8d84ecb45292200bba7094a5204ff7715

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
16a97489dab15db9b9713c53726f3411

SHA1
c15ad01807955374283805104233bd56760b25c9

SHA256
9c06541d13c7088f313aab0be5af20b72e583f34e442df3d2fc29953640d4812

SHA512
54ffa278e4d0975830c1a8eff9b7fc41d487cd9e8390d0e14f58cff62efadfc5816bcda3ca11e2b1cbaeecb20546839593f7c6ea9500eef433f299861d205822

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
3491700e847fb9e9c4413fc82a0ad285

SHA1
03694cd43a06bb2fff6a1d85f73bd7b87198e07e

SHA256
ed969fae3cf64f46b5f4d2447980befd6f0a7fd05802529dbc793f3c014bc46c

SHA512
07e81eabcef621ec6a84e1932e299e0b865c06e6f9907017bbed0121771712b007a18771099131f24da134f3cbff0a7af30ca4e1c262b117e8bacf055cd54002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
e3ede68927c68aa73ac95722d24334ce

SHA1
dbe71e1a56f9b7569b4a568bb67e37c38011b879

SHA256
5dd42e524920f4cb467031eb9e0e440bbe73de0fb39f71e65736a2ab2f6fcfe8

SHA512
d935058d8409b518d82336dc0b1521bf411ef77ef49485ede15baf5d1ac527f46ad813ebdb889c0f9999d553a879150d5ba41ce3a0b11d5ca08907e378fc9b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
3cca955cde8362605fc268e4b12accaa

SHA1
6f3c214ef223f35495c0cb0ee359b9d975c14e72

SHA256
34c6e58abcce5bccace50df3bd6c3e2d3f4e8413b14aae8e707ddfddccdeba6d

SHA512
5b7fe7deb6066c53bd41479172eac2736301f5cf32921f13d2ce6ad2811925e7bc1c436627698050be86ddf18852eeac927be4efc2182d857b31f637adc6c206

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
e6184d65799033dbee51667790130016

SHA1
b00461d14ffa2beab0887bcb716f331090cce8c9

SHA256
eecac10f830ad0dcbdf0f0dc1422ef5cfed490a877429a4674aecc560869a5e5

SHA512
987c14f8c22ae0d6c1005cc7b0d9a240283c2120e8ded030a407f25fb7786f7283980850ca243859f0148dbeb7bfaec01c8208865b81046999252d07e5f42d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
fa9b5cec8eed4fef73ec60d7f4c1eb1e

SHA1
03f19b2886688de1fb2016d614fe514f8b508250

SHA256
09f19b41a8d71cd5174efdae2a7649022780434d7c4416d6121153359aa85918

SHA512
744288d8903fdceed87cc5b7e0e286fab59584b57acdd943b04c5f6a39391a1662961a686344c1fdce36aea039adf8b1fcfc883e06011dd592077931716cdff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
be6d51793bc63716fb45cb49958b0f6a

SHA1
e2563b2c324b58bad602c46bc4d6148ce5319c10

SHA256
edd8206ef8caf25e955e9fba2c9c8ebf73d8ec3fd0f562372f7ed8b8f7004c2f

SHA512
31fa876b8dc54d882db0d8a3c7e6784b893b6c8b4a04688261720d75402cb4229f07c70df4dabb032b63940d8e3ba95978d439b5f0f9a21c62a8adbcc92bcabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ce04551e4a578993207eed8f49e045dc

SHA1
f2ea2b8901458263879e76f67c4154559252aa5b

SHA256
f6ba90e21a1e31ff2be7292c2a03d20570788fd829e075ab4a6d37a9ca2ba194

SHA512
872af73065241877679e96dd6c5e8458417436241262829a378768aa47cb290f45aab67ddf205bccd6846a2189a0bd26a31fb01f1d7886fe93067687055f4fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
03f1e99c4258416b4c6800081b3701e2

SHA1
502d6654cc0a331b8c45eb760db39edbc3ee93c9

SHA256
abf8a6ad52f6c71458dc2c159eb8ce7a297494177f8e05fd52a1e7bceb493426

SHA512
7a1fc6488c4eee4a32963b1e78b76ac1c4d4c196c8b2743ae4cc89805fa02f554210d0fe5a87afa258abe3c24c710315facdea997e7aa2effcf8664b8531c459

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
c4af0dc7d97105deac352f569beb603d

SHA1
f52d7ee9ae432dbf5b42d5fb2a816411138d7e03

SHA256
b66ae7e1d0da45a758b2ec9d2727f8f59a2d0a59bf43be347369381338c6afb3

SHA512
8961b1acab372511d45b4cb08f6672bebc436f19c854f73058bb28e56ddd57dfd18aab785b39e0b1254ce9e2989e6db744e1de503429932fce2b0f53f000d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
b5c0e86861a795b607b3dddf29ceab01

SHA1
4ece72b0a9d8f42da935f9affe3280b48805d9c1

SHA256
837167faa319cab764615fcfdb375008aed60c399b139dc0b3b0338a106f3b18

SHA512
6ec88fbbbdd3377650bc575da6f1d1a8f94b445bceb6d96894a511b690cd3af63be5df448bc6bcac0e3200086f90cd1707c5b281bacfbbdf7a02f984f3ddf32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\base_library.zip

Filesize
859KB

MD5
4c60bcc38288ed81c09957fc6b4cd7cd

SHA1
e7f08d71e567ea73bb30656953837314c8d715a7

SHA256
9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733

SHA512
856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\blank.aes

Filesize
73KB

MD5
1db05f65a05141aa212fda1ebbdb6cc3

SHA1
18ea25f3e586879147333ff29e7612cde9697cab

SHA256
af6ff064b859ce07a9e2dc9726438653edf5ff4b6732f0863dd5c6c211d3fd02

SHA512
ae27696b8f9d3ba9c9cbcfdbe2ed82f24e227ed8706d069d3cd71a0cda82cdddbd8db7926e56ed2f87c428765c38a92082ec012affcc84271b84db89f108431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\sqlite3.dll

Filesize
622KB

MD5
0c4996047b6efda770b03f8f231e39b8

SHA1
dffcabcd4e950cc8ee94c313f1a59e3021a0ad48

SHA256
983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed

SHA512
112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5242\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thdgo0iw.lgl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2012-174-0x00007FFF0BB30000-0x00007FFF0C5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-150-0x00007FFF0BB30000-0x00007FFF0C5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-148-0x00007FFF0BB30000-0x00007FFF0C5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-147-0x00007FFF0BB33000-0x00007FFF0BB35000-memory.dmp

Filesize
8KB

Download
memory/2372-145-0x00007FFF1C760000-0x00007FFF1C76D000-memory.dmp

Filesize
52KB

Download
memory/2372-187-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp

Filesize
1.5MB

Download
memory/2372-138-0x00007FFF1C7A0000-0x00007FFF1C7AD000-memory.dmp

Filesize
52KB

Download
memory/2372-137-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp

Filesize
100KB

Download
memory/2372-142-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp

Filesize
3.5MB

Download
memory/2372-141-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp

Filesize
736KB

Download
memory/2372-140-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp

Filesize
184KB

Download
memory/2372-139-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp

Filesize
4.4MB

Download
memory/2372-143-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp

Filesize
144KB

Download
memory/2372-135-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp

Filesize
124KB

Download
memory/2372-144-0x00007FFF1C700000-0x00007FFF1C715000-memory.dmp

Filesize
84KB

Download
memory/2372-146-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp

Filesize
176KB

Download
memory/2372-134-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp

Filesize
96KB

Download
memory/2372-133-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp

Filesize
176KB

Download
memory/2372-149-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp

Filesize
96KB

Download
memory/2372-68-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp

Filesize
4.4MB

Download
memory/2372-256-0x00007FFF1C7A0000-0x00007FFF1C7AD000-memory.dmp

Filesize
52KB

Download
memory/2372-73-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp

Filesize
144KB

Download
memory/2372-114-0x00007FFF20670000-0x00007FFF2067F000-memory.dmp

Filesize
60KB

Download
memory/2372-176-0x00007FFF0C4E0000-0x00007FFF0C5F8000-memory.dmp

Filesize
1.1MB

Download
memory/2372-175-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp

Filesize
124KB

Download
memory/2372-136-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp

Filesize
1.5MB

Download
memory/2372-200-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp

Filesize
100KB

Download
memory/2372-216-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp

Filesize
736KB

Download
memory/2372-215-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp

Filesize
184KB

Download
memory/2372-227-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp

Filesize
3.5MB

Download
memory/2372-241-0x00007FFF0CB00000-0x00007FFF0CF66000-memory.dmp

Filesize
4.4MB

Download
memory/2372-257-0x00007FFF1CA90000-0x00007FFF1CAB4000-memory.dmp

Filesize
144KB

Download
memory/2372-269-0x00007FFF0C4E0000-0x00007FFF0C5F8000-memory.dmp

Filesize
1.1MB

Download
memory/2372-268-0x00007FFF1C760000-0x00007FFF1C76D000-memory.dmp

Filesize
52KB

Download
memory/2372-267-0x00007FFF1C700000-0x00007FFF1C715000-memory.dmp

Filesize
84KB

Download
memory/2372-266-0x00007FFF14CE0000-0x00007FFF14D98000-memory.dmp

Filesize
736KB

Download
memory/2372-265-0x00007FFF1C770000-0x00007FFF1C79E000-memory.dmp

Filesize
184KB

Download
memory/2372-264-0x00007FFF0C600000-0x00007FFF0C979000-memory.dmp

Filesize
3.5MB

Download
memory/2372-263-0x00007FFF1CA00000-0x00007FFF1CA19000-memory.dmp

Filesize
100KB

Download
memory/2372-262-0x00007FFF0C980000-0x00007FFF0CAFA000-memory.dmp

Filesize
1.5MB

Download
memory/2372-261-0x00007FFF1CA20000-0x00007FFF1CA3F000-memory.dmp

Filesize
124KB

Download
memory/2372-260-0x00007FFF1CA40000-0x00007FFF1CA58000-memory.dmp

Filesize
96KB

Download
memory/2372-259-0x00007FFF1CA60000-0x00007FFF1CA8C000-memory.dmp

Filesize
176KB

Download
memory/2372-258-0x00007FFF20670000-0x00007FFF2067F000-memory.dmp

Filesize
60KB

Download
memory/4872-156-0x000001A250200000-0x000001A250222000-memory.dmp

Filesize
136KB

Download