Analysis
-
max time kernel
75s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
27-12-2022 05:33
General
-
Target
Half-Life.bat
-
Size
290B
-
MD5
f74e6b5246c889bbed2ab6458d00b16c
-
SHA1
87823a620d7eab058b6e490b64957b57d70895a0
-
SHA256
e8f77c6ed8ccf23a9a3aecceadf0794f486ea39f6fd9f99a8c249cfef30af3c3
-
SHA512
3a1edf80ed520dbfca88beb69b62db3e520227c8f8e3b1b9356600d029ad8d098662693c4798d8b07aa73ae3ac61adb0ab02c9ec4bdc1a76f249027be3f82949
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 9 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 15 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: LoadsDriver 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Half-Life.bat"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff896f94f50,0x7ff896f94f60,0x7ff896f94f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6f66fa890,0x7ff6f66fa8a0,0x7ff6f66fa8b03⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\cgsetup_en_52GyYvig6QSzND3sbkgg.exe"C:\Users\Admin\Downloads\cgsetup_en_52GyYvig6QSzND3sbkgg.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\889ddf7c-911a-4037-81f3-75d63b378d11\1cf298ca-7f46-4288-ad05-1c70ede1be67.exe"C:\Users\Admin\AppData\Local\Temp\889ddf7c-911a-4037-81f3-75d63b378d11\1cf298ca-7f46-4288-ad05-1c70ede1be67.exe" "C:\Users\Admin\Downloads\cgsetup_en_52GyYvig6QSzND3sbkgg.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\CyberGhost 8\Dashboard.exe"C:\Program Files\CyberGhost 8\Dashboard.exe" /install4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\CyberGhost 8\Dashboard.Service.exe"C:\Program Files\CyberGhost 8\Dashboard.Service.exe" --install5⤵
- Executes dropped EXE
-
-
C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe"C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe" /S5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap09016⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
C:\Program Files\TAP-Windows\bin\tapinstall.exe"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap09016⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files\CyberGhost 8\Applications\VPN\Data\WireGuard\tun-driver64.msi" /qn REBOOT=ReallySuppress5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\CyberGhost 8\Dashboard.exe"C:\Program Files\CyberGhost 8\Dashboard.exe" /firststart4⤵
-
C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe"C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=6204 --field-trial-handle=5896,i,10382616755843598083,13008470222249626761,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=27765⤵
-
-
C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe"C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=6364 --field-trial-handle=5896,i,10382616755843598083,13008470222249626761,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=27765⤵
-
-
C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe"C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=6400 --field-trial-handle=5896,i,10382616755843598083,13008470222249626761,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=27765⤵
-
-
C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe"C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\CyberGhost 8\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=6552 --field-trial-handle=5896,i,10382616755843598083,13008470222249626761,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=2776 /prefetch:15⤵
-
-
C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe"C:\Program Files\CyberGhost 8\Data\Cef\x64\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\CyberGhost 8\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=6560 --field-trial-handle=5896,i,10382616755843598083,13008470222249626761,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=2776 /prefetch:15⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,14778102642109331515,11801313516241215194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\CyberGhost 8\Dashboard.Service.exe"C:\Program Files\CyberGhost 8\Dashboard.Service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\CyberGhost 8\wyUpdate.exe"C:\Program Files\CyberGhost 8\wyUpdate.exe" /justcheck /quickcheck /noerr -server="https://download.cyberghostvpn.com/windows/updates/8/nt/wyserver.wys"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe"C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /d *2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" interface ip set address "Ethernet 2" static 169.254.123.57 255.255.0.02⤵
-
-
C:\Windows\system32\netsh.exe"netsh" interface set interface "Ethernet 2" DISABLED2⤵
-
-
C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe"C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /e ms_tcpip2⤵
-
-
C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe"C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /e ms_tcpip62⤵
-
-
C:\Windows\system32\netsh.exe"netsh" interface set interface "Ethernet 2" ENABLED2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" interface ipv6 set teredo disable2⤵
-
-
C:\Windows\system32\netsh.exe"netsh" interface ip set address "Ethernet 2" static 169.254.123.200 255.255.0.02⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{81638d76-e9dd-3c48-82e7-16ef32f15f7f}\oemvista.inf" "9" "4d14a44ff" "0000000000000154" "WinSta0\Default" "0000000000000140" "208" "c:\program files\tap-windows\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3e967ebd-c04f-a34e-9931-e7d3c1851ef4} Global\{44e1f398-9d05-b845-abea-9d76b61366bc} C:\Windows\System32\DriverStore\Temp\{5378a721-ef03-c943-8ad5-ad2505f492fd}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{5378a721-ef03-c943-8ad5-ad2505f492fd}\tap0901.cat2⤵
- Modifies system certificate store
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\d0fdf2fae4cf0c951d0c167a25264d7b98ff8b807c641bd45fdcfbb7f9f76709\wintun.inf" "9" "46beb126b" "0000000000000154" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\Temp\d0fdf2fae4cf0c951d0c167a25264d7b98ff8b807c641bd45fdcfbb7f9f76709"2⤵
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3755E4F8E1A449C5938B60B63837FB2B2⤵
- Loads dropped DLL
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9624D69FDE1465FBCE8CA5697F3556A7 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD581f60bb3c4825cc411873c92ff403077
SHA12ab32b4a1c3fac14a198d427077c87d01923af92
SHA25657127853974396db826cdaa56058d39749e8654baf6ba595f3a4712a7230e731
SHA5128a9fa259e93ae0f5d1efbfecdebad754abddbb11499ae6182454999c954b04a1fc286e21ad9c922fa494a81fedc5aa54cc32a286e6192325eb46bb55a457557b
-
Filesize
236KB
MD54967eb74a5173cc966bc08a434363701
SHA149fb8a69ed216db994e23a1f45c793d5315bba7b
SHA25681e91ad464f377fcca6f04fbc8f2eecdec41bf667185f7df5cb3159fcd07f133
SHA51292dec397a4f608176d229e92558fbb5391b153012ac8551bbea72373b06e0ed6382c92b26b216a180213fdaffc17a269406a244ebe139855b7277ee93c34c00b
-
Filesize
441KB
MD55be78750c920cd6160ec18b5861dc885
SHA1c9274ad66be5e3f2bf999c9e929c1a8b771a0e73
SHA256e270fdd3ed9962f552f66d6f9f2e81fbab4c193d153e746d6e3b089f42b752d3
SHA512ef6eb4a264d56687b4874280022f278660a7742be3bf8d8c6af8908d2542bf8e67005f06dcc1ee72499a8c94d4e88ca9f9091451a0bd089ab27bb67112f2de70
-
Filesize
53KB
MD5f5eaf73a0a001f0dddd2ce00f00928c2
SHA18ea883fbcc1fb763ac19dc0da58e86cbc725fd1e
SHA25669fa255a13c9d3bcad72421d99bcec91ed8b35cb64e54984409d9f125dcac1ff
SHA51216cad47c0ee30164a6b8a8935893422c8c12b0812c6d36125a8ff8e5ef5311973bb9546b61511c2cc2e9f950cd3daf4504d2d83b6e5fb1dccc37271c51d43e61
-
Filesize
627KB
MD5c76fe990bd6945db1601b74a842ac730
SHA13994bc13be6e98b4ee1760280e626cb8cdbce85d
SHA25650a6729c8d0e10cccfefe6764acb9ba00ed066ab10a549d577e88d4c0c739f42
SHA512b383ba984ea3657016618ffcfe604fa5531462d50bb6f0c728bf33603a5f885b611d7342d9e51f26b0319035fe71989c1b7ae6c36f19647b1b73ba6c6d1c6675
-
Filesize
204KB
MD5a00b936d6cf4c11a2c68167fa1e28ef5
SHA197f4f758951c610e3e0945f42a4e9f7bb2c72a17
SHA256172c89fdd4210a0ebdd45334f3716f213fd4f412978286aa787eb2a22231e7d0
SHA512161cd7b7b25b0509c6b4f76ad995361a595ba9c64f9582c8024cb7eb2ddabd69d5beb6d68cae8dd33386486a72ad83ef2b47e08d350f81645e806f30deea590e
-
Filesize
197KB
MD5ed9bf0893419f045d6c487f9aa104b49
SHA1bfda2909e3168825df27d7e08727305335d8a453
SHA2565dde49e4c8ab75a57de568d3aaab850070be60b550f5f4bf2c614d16dc50bfd7
SHA5129d7ea22f2b4cf87f55c7a2e7fd71d2019f8b0db8e5fa118bf4f3327960b70c3e9d8f53b1128430f33759977a08869a8141449830b6b0b378539557a82f12ae49
-
Filesize
156KB
MD514f256faf16b929b13b77a69969e231e
SHA1577e0ec20aa649ae6239ceb461a56dac1e06e253
SHA2567557fa442f150ff10b7096ff9682df4728b5d6d4729c59c0401b756fde7a2c8c
SHA51278bd22f755bcc7205a9f4df38c95f9984876c1462a6a98a1bf583de220150ab12fa993512a8a97a39eef5455f7dbd410a492402789c825ba4eb95dedfb926caa
-
Filesize
31KB
MD5f15ef1481c42ed7170fa10c3c5b7d507
SHA15a487bf04d5cccd53d9f70ebf7f192375a6003ee
SHA256d410d3fda23710385c088d84b9a846e51c5be6829a77b5c1637634be1a089c62
SHA512e23e841238f83bc613ebac53067c3f1cc278eb80712538ef13fae023867cf976ba357c5b3565308df2a00431e4acb0822a373d3af31c8add21144d8b9a64c753
-
Filesize
67KB
MD584a05773da0ff681ca0fcba762006fb1
SHA15490d36af2117eaccb43d60c7aba1f72f0eb06bc
SHA256070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1
SHA5126befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905
-
Filesize
67KB
MD584a05773da0ff681ca0fcba762006fb1
SHA15490d36af2117eaccb43d60c7aba1f72f0eb06bc
SHA256070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1
SHA5126befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905
-
Filesize
67KB
MD584a05773da0ff681ca0fcba762006fb1
SHA15490d36af2117eaccb43d60c7aba1f72f0eb06bc
SHA256070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1
SHA5126befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905
-
Filesize
909B
MD5e2338d4401885fc1abec3ed8bbccd958
SHA1fe9007da5f2e1ef7a456b4267b58106a6e3b1645
SHA256eb9201e1687c3ccbe326897dc10ffd4f5ce172be9c3b17c4e154fcb70ce76133
SHA51203041eb66dfd15c356f4de60d10c435809833bfa66f67d951ed54495dbd0e0985a871febd69c5d6104845adc3de4c984bf9d55e46399ac1956011a485273dff6
-
Filesize
1.3MB
MD5b9479bf714837d1f60f9880f8e290f33
SHA1af5c53c8efb5c30a8e7c69da1960c696aeb17683
SHA256dbfff227020c3d5e840571a910490f379b1e103aed251b636f52ee5b9709f698
SHA512c8c97b34e93793893a72c79bb5cfd31e5053f0d07f0a87d5eab0173dd9c12b40244efb4d9894046bc180e67c6ab464e0a4aae315f78744c2edc5b5bedea0a560
-
Filesize
1.3MB
MD5b9479bf714837d1f60f9880f8e290f33
SHA1af5c53c8efb5c30a8e7c69da1960c696aeb17683
SHA256dbfff227020c3d5e840571a910490f379b1e103aed251b636f52ee5b9709f698
SHA512c8c97b34e93793893a72c79bb5cfd31e5053f0d07f0a87d5eab0173dd9c12b40244efb4d9894046bc180e67c6ab464e0a4aae315f78744c2edc5b5bedea0a560
-
Filesize
1KB
MD5ef7fb38a6da851e9b2ad3c62002607dd
SHA1b74e836936794952b5d739f0d75eb3ee50f3a61c
SHA256870949fd91b0595a9d237dbc3fc3ce3b6b9126c721182116877550e6d1010989
SHA5120e3df69fc8c1294f1a37d150e3f205a9f61fad4c8c64bc6306df9c08a3c3debc2444c5bae78140ba8cea5b91d42aa3e138f4fb92705842201c11a50476aeeb01
-
Filesize
596KB
MD5f8010c6631166cbbafa224bc625dbeae
SHA1b65d7a3333472b8b78d7e61b3aaaa3e2547f9aa3
SHA256b7093d349cd231cea5955c75ec8d7b4964437fb1da6af9157463d5624b81149e
SHA512ff5d014007da753ffe23a52090e408f23105884ec4b80856ebb351d9fa41cd225362a6d9a93f1b35943c36fbf058ee09fc234f1e0d94d5b31150060fa57014b6
-
Filesize
687KB
MD5cc857ef8da12c7e6c0e7842c54037fd3
SHA15ec4f486b3d10e2158bfb9ff5adc32bfd42d81cf
SHA256e0205d1b03cbb1bd88eee8ebd8188939445a169c600449d4915b896080ce9ab7
SHA51224cecec9eb9ab3ef03bccf1ff01628d1394e9da6a2fe86d04592537a16bbceeec951d518d466b5f5aa3823d4d7d0e96e77d5d540126d579abebf5b08e972b0b4
-
Filesize
18KB
MD5553d6ae051c09266847d04ef9049cdc9
SHA1c1f845a787297d710eef675fcb4f7353a1c7ee1b
SHA2568d211708bf43edb971100a8110090b2537cc87b3490c359c24978b9c78ba9f7d
SHA512043e1f9c293ca8122765771f30cd609a4a3a00388ac1d3dca2b80dcfdda72f62c1e2c92dee9eb15e87112d5f1ef2759caffddee9a44ef3c5b5f15522dc29b4fe
-
Filesize
133KB
MD5310269a204fc70ee6cb52b9b2fce638e
SHA1630f0bc9e6d9b9bea0c852875bb6e0aac83c5615
SHA25693632d93396c8da17cdd4f6b92e9aa162bcf0d0ddf9a262477f769e0df926d12
SHA5127e60693276b0df0ee33ef9eff51199af63aa0f3b9efdc6c1739cec6c13965f6393c06e4b365cf648591fc01d291c348850473269bab629bfb107d31e50cbbca0
-
Filesize
100KB
MD5a183f0d155bd482f1e36c83c6eb0f6ba
SHA14345e30aed0f06402bafbe741e98a06af96069f6
SHA256dbee5b72b6c0f4edded375c224abb31d9387087946a53c5f5b12c4e6223aa471
SHA51219b46dae942df4751353d2c3cd949f51fde13fa6be6aaed5816f95ef4465e645bba9459a83537ba5e7db7db06e09f3477395e18280f2df568bf3ddafb50817b5
-
Filesize
87KB
MD5d73e77745045915f4d6618cc28b6d801
SHA1463e4efa398ab4c1a3c6a833437eb28a8c52537a
SHA256652e84820a7671bbf64798b114e16a5b630e4fbd57e32f4ac4d8e23e8cb6801f
SHA512f856ab8787c50b09ac36c81649e0e5f647e6708c92099a5b9d21ca00215fa95b6dd840065dc035ed9febd9f5a40422395a663ca6bc52f43451e9da622ae491b6
-
Filesize
39KB
MD5e4a7061bfe27358a3cafa17f3ef3e427
SHA19178f8f84b48ae9de63ee24d920c00b8e87b4606
SHA256aa7764b37122eb98d73c1ed2cb1eb5a01287841d117da8fc7da4f5029c851c6e
SHA512edda7a5a759abd4db1095a53831f4d30b6035243f4ec5a2cadcd0d0e24e13492f73001b9a73b8cf09dc7e2040e398dcd0485fe075089e538a390db20e193a20b
-
Filesize
426KB
MD52bc3df2af6a5df53327a52f29ef7fdd5
SHA1fdddbd3aad9cef21f11e2dc5a0fc1c9115be2b7d
SHA256282ce0ea78b42ff7313b0026abfeb7fe500caa1b2fa3556c141488f673817b34
SHA5126adb1118bd77ac10a076577e9785ca96ed05c85b8f45d059a0eb16956b5d7001d279d2779ff1accd5142f3eb9f258153a488626111a2ed9b07234adfcd906557
-
Filesize
506B
MD5709558dd211a25c360b2df733d6b57a9
SHA11b6689f9dec8bfe2831a2b27e7797b8b57fe3d28
SHA256ced9197f6e858ba488094b1ee3fe8942dd3675613d1920ce6a835aad7e319035
SHA5127df5b8378cbb483e2edd0ff76bb13e1a760d259b5c1b6ddd18007052df1f903347a905b64566a2e4a270ca6b6f5d6bf271100e5f502ae1d39900ca3377522009
-
Filesize
248B
MD5d75695edc990d893cff1ff4173408cac
SHA19aef056f1d6cbd1a689474818df001fdfb16a286
SHA256e72b1e0421197d33754b08dcb83017ae36c565465f2d47865fbb7299ede4cd72
SHA512fc848046facbe8416e657f1526090584adaeaeb1b2d27fef9b1519477946832c718783f64ed7c478be6f991645cd6208d8cea462b038732558326afb206263b6
-
Filesize
2.6MB
MD5df4c8d0e98e86ec434ff4e8416355ffc
SHA192ca94a3e7d5d2ebadeef424c962b4a254bf9c0a
SHA2569dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60
SHA5120e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a
-
Filesize
2.6MB
MD5df4c8d0e98e86ec434ff4e8416355ffc
SHA192ca94a3e7d5d2ebadeef424c962b4a254bf9c0a
SHA2569dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60
SHA5120e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a
-
Filesize
86KB
MD5089263948175a716ac2db72f39f7572b
SHA17c98e155c4dffdb21f7ad09d1b338540f74161ee
SHA256191c60d67d28e545303e84b5480a1708b844732698f6791d3f50a3d4ac034493
SHA51284ed1204466d0da200fc4ee28771f2b8973df86b01988246cc4c41b4b514b9893f325a48a0d63edaad99ec2ac097244afbffe4d71e5f14c0fca2910e93606fec
-
Filesize
86KB
MD5089263948175a716ac2db72f39f7572b
SHA17c98e155c4dffdb21f7ad09d1b338540f74161ee
SHA256191c60d67d28e545303e84b5480a1708b844732698f6791d3f50a3d4ac034493
SHA51284ed1204466d0da200fc4ee28771f2b8973df86b01988246cc4c41b4b514b9893f325a48a0d63edaad99ec2ac097244afbffe4d71e5f14c0fca2910e93606fec
-
-
Filesize
64KB
-
Filesize
216KB
-
-
Filesize
248KB
-
Filesize
360KB
-
Filesize
72KB
-
Filesize
1.3MB
-
Filesize
640KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
616KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
704KB
-
Filesize
64KB
-
Filesize
152KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
176KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
80KB
-
-
Filesize
10.8MB
-
Filesize
72KB
-
-
-
-
Filesize
10.8MB
-
-
Filesize
432KB
-
-
-
Filesize
144KB
-
Filesize
736KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
456KB
-
Filesize
800KB
-
Filesize
136KB
-
Filesize
208KB
-
Filesize
184KB
-
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
320KB
-
-
Filesize
472KB
-
Filesize
2.6MB
-
Filesize
32KB
-
Filesize
32KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-