Analysis
-
max time kernel
405s -
max time network
403s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
25-04-2024 10:28
General
-
Target
fixer (2).exe
-
Size
180KB
-
MD5
db1841bfa15492d1f6a4b46e921068a4
-
SHA1
9526c45f7a9d59e0a5dda1b57ddbaf8425716e9e
-
SHA256
176b2fbe38f0d14ee68c65c56e2731646473c0f51e92d3affd2048959fab6bd8
-
SHA512
22110b41d057696ed5604c84fb40c881024cc8bb045135e258e6f7b0c5baac29d40b7b2b4cb1c4a3391ab2944b43c6b293ec628901abf6447124404111e41b18
-
SSDEEP
3072:jh+8/+IVkJZ5UkcGkKLv/YiJlNZ9pshMniWGkJAPXsPzljLD3rv8Gz:jh95UZ5L8KL3YirfbshMiWFusPzljLDV
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies registry class 6 IoCs
-
NTFS ADS 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fixer (2).exe"C:\Users\Admin\AppData\Local\Temp\fixer (2).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "uwudaddy" /tr '"C:\Users\Admin\AppData\Roaming\uwudaddy.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "uwudaddy" /tr '"C:\Users\Admin\AppData\Roaming\uwudaddy.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CA9.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\uwudaddy.exe"C:\Users\Admin\AppData\Roaming\uwudaddy.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\DismountRemove.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff896953cb8,0x7ff896953cc8,0x7ff896953cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1664 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1244 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5712 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\xbox 360 hax 2008.bat" "2⤵
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
-
-
C:\Windows\system32\calc.execalc3⤵
- Modifies registry class
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\explorer.exeexplorer3⤵
- Modifies registry class
-
-
C:\Windows\regedit.exeregedit3⤵
- Runs regedit.exe
-
-
C:\Windows\system32\tree.comtree3⤵
-
-
-
C:\Users\Admin\Downloads\Covid22-Joke.exe"C:\Users\Admin\Downloads\Covid22-Joke.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\Covid22-Joke.cmd""3⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\CLWCP.execlwcp c:\c22joke\covid.jpg4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\lole.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\CoronaPopup.exeCoronaPopup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\MouseDraw.exeMouseDraw.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 2 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\IconSpam.exeIconSpam.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 2 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\inv.exeInv.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8F4C.tmp\ClutterScreen.exeClutterScreen.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\timeout.exetimeout 2 /nobreak4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,9955327785960462799,15809110869220668620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Sigma.zip\Sigma.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Sigma.zip\Sigma.exe"1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\appidtel.exe"C:\Windows\System32\appidtel.exe"2⤵
-
-
C:\Windows\SysWOW64\ARP.EXE"C:\Windows\System32\ARP.EXE"2⤵
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"2⤵
-
-
C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\System32\AtBroker.exe"2⤵
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe"2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\auditpol.exe"C:\Windows\System32\auditpol.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\System32\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\backgroundTaskHost.exe"C:\Windows\System32\backgroundTaskHost.exe"2⤵
-
-
C:\Windows\SysWOW64\BackgroundTransferHost.exe"C:\Windows\System32\BackgroundTransferHost.exe"2⤵
-
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe"2⤵
-
-
C:\Windows\SysWOW64\bthudtask.exe"C:\Windows\System32\bthudtask.exe"2⤵
-
-
C:\Windows\SysWOW64\ByteCodeGenerator.exe"C:\Windows\System32\ByteCodeGenerator.exe"2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 11882⤵
- Program crash
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2960 -ip 29601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD554caf18c2cda579e0dad6a9fc5179562
SHA1357d25de14903392900d034e37f5918b522e17c9
SHA25628d77529de92eb605d8afee0e133a7d08e13d4386e5e38d63e2da34623eaad6b
SHA51288da5a33df9d82408afb8344ec7dbaf7686435fdb55eccfb85d5560f39861e84cef5d71949d5efe7a191778e6be755a8448f3fc3d7043007037f9f5227e10210
-
Filesize
152B
MD5696ffba7b83ecf008523e96918f200d9
SHA1970d90e22c8b3674fc33cdd1913c51ef28514255
SHA256dc6dacd725d7385b2e4db1f488d93f2840d2289efdaaf3737849304d1ab9ba34
SHA512f8528683b70b58376f3eba3338fa6b462c9e9248c72524573005cff6397a0556bdcc2fdc2ebb020ba8218bc8174ba552002f223a245dfe3d3688826d24d63237
-
Filesize
3KB
MD5f4766ba5d58752f08d02bb5c0a21b14f
SHA18bc933f3f6ab728f575dfd68d54bddee4c8187df
SHA256b9067d5d9b1d13280e23a2590745298b24bb710a4ad64b21b8bb8e3823a140d8
SHA512c717720957ac597966d8c67f3144c53f5ca76e6bb0399086206a41bed6dbfb059dc99c282b3010f173c29bfae78d6515b638ae4ff5b1b7785de7d3967b88a1eb
-
Filesize
3KB
MD533beb39d59158ac0ca5a15722d31fa9f
SHA14fb55e4105fb59974caa4303bcb46b6f7121e618
SHA25647c1bab9e1015832947600dd931ef3be4c6795014d094859733b6ed2b3029061
SHA512ea85ca6a5692831caa1925e21a1e1eeb9b7c0be8a6f2cf51022bf4d1f153fa830ec01137abcef4e4e177b3fee44b89a11dfcf82016c45c39b01656c4914d5d45
-
Filesize
1019B
MD5f33228aedee0cf82decc6921ae6cc9e3
SHA1f59c8e6002c33bf34a828fcfbc0ba6714eddd08d
SHA25623021ff5f27350528ce2a0ee0a68d5313c0620ebbe4667bb062d862487f8eb31
SHA51299595c188662d7dd1c9ea5df5d215ecfedd1f6f93faa4c5e3552401c678ca445e06dd6edf1b14146606a491eaedcc02656a77d2715df81c92a02ed1279a39af2
-
Filesize
936B
MD559d5df4284bed2e48bbcad2c8c6004ee
SHA10f1c5e875646c454a2e1343cbdbb6ff6896c3299
SHA2565355b2d5991557687c0be2749463b91c6a79bf5b664508cf24ea82b58a54f5c2
SHA5121aed368379fb644b637dd0b244eae29795ec846fa46bae622127994b8ad96de8ccaccc96a8d1439224fe146e6a82cdf381cf8eaaed4c6c85e8813b8c550aed87
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD59eafca7c28f0e8130865ffe68907aebd
SHA19c264f7abbed432159042e69508c8154f59eb25b
SHA256f1e8068c1b025bb853f18910892f9c90e9a8b6c17974c1ac615b5a0f7bf57113
SHA5124147a8608d2f98772becad5870382a6998fe979764c819b11348e19d297ad928fc3a7595fe91faeb494566aa70af63af527e1b768afd79ba085cb1c4d64b6b52
-
Filesize
6KB
MD58462643365f768c75aeb32db40b9cf9b
SHA10ed3bf60369496d12462eb809f48e65795c6cc5c
SHA256981939a86e6f6a2a23f0f24dc38fd918004d0cef99c5cc7400af7e6353194736
SHA5122354b387dc59c44663b29cacff9227558f08095add6d68808780b7862ca0aaaa485caa8e95e8503dbcc734f8e3f5ac6c088a545d9df6f6989672b7407371a642
-
Filesize
5KB
MD5375e4bedf856ca752b471cf8ddd5617d
SHA10caf0b4493d7d5cb1435dba2419966b139a48f26
SHA2561b9d3c544f99be59fb7d9ae3543736baa0c10c3466d0d39be000d4fb7e3859ec
SHA51218ebe90f99a40704b83350f692c23ce18f054fd7bcfffadb6565760cf6a45abc83ae58c58eb46aed5c2feeba79d7cfd16a50e71312fc23be4ce70e561253b31b
-
Filesize
1KB
MD551db93cb74bbfaf9710cd21a00e3a48b
SHA12f8a6a43ad4c73fee1209b76a3ad2bf6a87ea8df
SHA256c17b76ac9a4bd9c199f7b73e7817bcad236bc145d4d49df6ac96d5c38c59a189
SHA5129baf5fddeb8e95c051fcd620e79924bc53191527de3409bbd48948cc471abc659cf30944962c51f0022320e3dc256c9f101d62f68d1477200bae4a72885a1ce6
-
Filesize
1KB
MD544b772da697ff7f7462160e1f9ab555b
SHA1fd41c08c8f1dc640ccb9977ba818183f2e99265e
SHA2561b5784f66d1ec0395d804533658cb873ebff5e67572f98409655354004ee85b3
SHA512b41b7a36b966850722934017dbb09bd2a6c972c590fd84882df0e9de8bc39e6a0efb8872e5b34bcb4c6a06156d6589b554886a32c37ce8b6c949f2fee4fa0e00
-
Filesize
1KB
MD54a259d85b3b41d59190ed7b03e94ff5e
SHA1adc9f23ce83f90d5669fb78550ea1689a4af77f1
SHA256bd243364a2c2859c0a48e933b2171601166828c7373fa88ed86cd89f792a8953
SHA512f995a4b146d7234ee8f95581aec915887ce28a9d49f5873915e2fe4ff262d2fa2701ecf8ad5992290351d5092a7a25a5c46d775e150e722481af20489a8890d7
-
Filesize
1KB
MD5e75e84dd5144b3a6e0ad39620fffa68b
SHA12d6d6e0f6054d09623724a72f82edc3cd732898c
SHA256fd3e7bed4d12ed0a7a3cbd4e06cedaa58732657eded9f0c22604b53e5f48a975
SHA51214c27ea8218c2cd22d6b1bbd16ff2a860775a4215183c3b0bcdbeb84c85fdc7a76dab5f49be7cce68a7c1ec10e786b0a5c41e1972392266bba98997684bfab0d
-
Filesize
1KB
MD5592ff04b55c528c4742c94c26b57a70f
SHA1e3f1e5faa41b5eb5c3b488d5b53a43fa236820c8
SHA2564ece777af388bf99214443a1ecd8894f86dc228794001d643815fc59a89d4ff9
SHA5126bf44cba4d95167e5f6dfe1c87303b6db82d0c3d68ec0c8106ba6d8a0444c0fd1b1536af120ddc52d24a1e1538eb108d90ce7c5336484d0426e830d818eed778
-
Filesize
1KB
MD58f18d477069a43209f1d3f3aa2a18772
SHA105fe321d3514ced3f416789b48fc6393f55ec015
SHA2561d43b8d192c02fb05abdc508b3363a346e894e724b78f131f172b080b294e9f4
SHA512e2486b4fcd8df59aa087eb9567b9cdfc52bd5ef1635eee371e02a116008e09666235d1ba4a67e95f892e2a25338660d8de85d17853d116f651deb74ea9aef03b
-
Filesize
1KB
MD5d493010e3c70aaecb5d919c2b60c01c9
SHA19b72704893361270362c40119d6c278246f8d15a
SHA2563c9a02aefcab256658a0fb0ea99abd6c2d6d49bed9c1aca4b6dc3248244ff8ec
SHA512e126375befef63b52ba85848283d938458553c3f48efa2ec78315beeda24d3d3c75b8d6bea5f33966661957153065f0d6c67b7f4f6f3b3d64203f8ba1b0db9ea
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c8f786a882012f513050e20d703681c7
SHA16332bc180d2d485a8b8dd5a10582983d95ad8c05
SHA25601b8c258a44a2c0e5f96d55c78eed7814596a8517c566204bd49a3983f46500d
SHA51234fde4ffa96b5979ce0a694393d474ec0dcc8d5ba11a4b694f196855a266a389ba758e74d203f2ef35c2cdbf5267c52689d8da873774dfdab53a4bfb4bfc0447
-
Filesize
12KB
MD52e6efc9cadb6b9f44d65057c7dab296b
SHA1dad442c8ef5d0b7ee31742d8f28e998cc5b71e9a
SHA256d2518e48bcc634ab31bf594c7652d6acb66a71ddd22178f4af049268284d6d38
SHA5121b98f2ac4a21fff6af9862205acba196b1e75991e9dc17b0993d79b16b8dfea3b5d1b9cf82a4a2a185447b79f56e5e2fafca0519a7b56a74ad7a1108a27b9d48
-
Filesize
12KB
MD536dfcf6dced224a8c02c8aa77579eb05
SHA11a3babe2a4b8b09e249c49f193d67e219147dbca
SHA256591e2a38b6166b6ee105b3f71b1ea10cda363cd009112c2efe6f36770afd9f87
SHA51217e264364c97b50e0659822071cea067da4273d22f1c707023053025ed6c26bd8a2600d96e0c3969268cb5b5e5529bdce84691816481b7e163d2300a9555cf15
-
Filesize
12KB
MD561fd1121c3461fcff981f05380ba59da
SHA12e15f30dd44d73f0c3fb41c43ff9b0e3f4433075
SHA256490b25009f43c07703fde67a55324fc6c0ddf5317557630d221c6b1c16b5157e
SHA5129798acbc522fffc5295b2546b500eb493d23e0da78705bd7a553d88de5cc244d87a2511b02a2fc6cac108cb77daab256189471b953b0b1aeb4dbf52ac064fded
-
Filesize
10KB
MD556e3fb6b86eed4f6cfde301038fa951d
SHA1ec8fef6dd06c6c660542f68bfb85f2ec0bed4bca
SHA2564fcfe3cc282c5bd1a352f09c60d562dafa87e7b36de965467ff170c4d6e910fc
SHA51286e843da42072bcc88f70449dd52c8fc6a00f7c4ec7dc38eb85f0a655c8b9e95c881584d6b72cf51b2c1aa0ccd60b0cf6c738a40b21e0b934a25efa2d3d5fd5f
-
Filesize
10KB
MD5e23e7738a77157383b36aac373c94c3d
SHA13267e2189c3c333359cfa01fa683c1660020f8e3
SHA2567792fd4bed6991f5096eefe2c6931e987a660a4739cd88fdcee38b2d4874d034
SHA512c3eeb483ab01b2bb3614c0294dc8a0324ed82ffd46edd8da4f6e5e522b974c2b0b4da30326e9b614cc32c039a137ea90501278ba8186a96f98e569bc6e4e5b67
-
Filesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
Filesize
103KB
MD5c98352c75dee0ad8e634e195a971fbea
SHA1aff31d252f032e8dfd5e8b6cb88a5d31ae6e6db7
SHA2560e169de41a9d076d3841caab3f910abb7502b3b82cbd841f2a520dc5c263270b
SHA512e74d03171bc68a0dea48ef129d8a7a99423557a3ea5c9de6981fc5863fb9c804578f1e443ea71dc80b510e8e3bc9cbab32a26f723b59b985e4f089c2bf12a73e
-
Filesize
92KB
MD53489f87d693635bfcedfda6d671beec0
SHA12778fca0ee805b6635df0bbb5994ee02b0ae548b
SHA25665e98b5ef9f0682c90b53065849f099f49ba0f9f8db78d459a67186d56125fa3
SHA512fc4f521b8fd86d8a086a1f39ec5d821042dba3e774e04d23e44838cfeaa2793097189ccae7b645277125fc616744fa746aca02d94b8457ff6397fd9a696695f8
-
Filesize
611B
MD5e340e3afb82818304bdfa325cd4c8569
SHA14edd42c1f2e7637ecdbdb7fa19a316f4972bbaed
SHA2567660c9fe4b1fdb9d838ab71f34365e11be07f5f8e939d57f524f8723085a6a1a
SHA512c76c9df086c75cbf947ee7e0d458386122e43ea4ee6af324a89363b79486191f1abb021097c46ca8e88d006f21fb46758e05c77039d21d4d76e7f59f8dad01d3
-
Filesize
105KB
MD51bc8017c551d4512355277de7991835f
SHA11ad768f8c0d64eac62ef9b18bd0af6643820ed95
SHA256f1887e9abe277bcbd1370ef55bdf20982de2591443b7c6f78f3cad03776033cd
SHA5124c05ed7e486728b6279ac49f0b36cd29b401bf21ebc39eb8d4da0ed2b41960f1633d2639e335abae1e6a7cf5efecaff2a622edbad854dc131efdb1ede0a2d6db
-
Filesize
103KB
MD51e8bc7dd872b57b3e925bbfca560b720
SHA10595c7126a6ae66f2dc69d4a65095d9e013f4503
SHA256b39f3a1a536fb4a9fb2bfc95d5b851bd28f6253888c9778d89fdecf77ead661c
SHA51216a7d33f221db9bfdeb356efc683105608acb873fb891a1c7797d8a1bae3b01657a0615850f178e5806cff02f266e21e63d93634b4d1583ed73a872556c5fe67
-
Filesize
39KB
MD56698ca85bad6bfbfff718517e5670c1f
SHA1c7975f87fab1b18931fba501cac15c8c85c3b57f
SHA2565509eee9f17b3a1ea7bb1ccfb5ff2ab82978b17f59c0194ead5042fb671068dc
SHA512dd2dcbcfbb9ab33e2e83b2181d83bb7684255cbcc7e6efa31580e772bf141a16673cad6d8c50b9b838f5fb7117c32b5effa286c10660fcbd5d950792f2c31f8e
-
Filesize
103KB
MD52289a499791fe3dc19993abc322ff074
SHA1ce978bd8c123ba67eb2e0453522e407220650e2b
SHA256598887f61f1d5af70c337d4f9f7da5ca0a0d934722dbf76cd6fd95160df02e21
SHA512add454b286056c7f3c3a92f7a45948a9e18b1ab68fbfef8b858305b940273a8984f681a72f7da0d116dbb6098c0c603440371f09f20dc942e2e2a84cb80655c1
-
Filesize
61B
MD52a8eb91004a950bdf368a275a4fdac3d
SHA185ebe04691b676abfc3735adb27448277b71ed34
SHA256df4df97c494510129b00eb00a45bb08e2507271ddda11e12787a1896dcc69eb0
SHA51265fc15ecd1d2c6d9eacc07f621c8517ffce1745cca953badfa32a47fcf8b45a52934d13fafe20dc19cd10650e22f1719133facc0fa50874e740209576263116a
-
Filesize
152B
MD56bd34f0dc81cdd3f61df79aca6351148
SHA166206dcf2da2b7f4480272bc43c6b59f12a1053d
SHA25658ba6bd3c48180da5a283c98c23f7025c72302a1212cfb2dcc438631a0145afc
SHA51285004b06cde3af4c686e46c2b68902c606c4831515941b1d68f5503bcc58b5dfb02665d8da2e08e3b4598cca54940f2b6e25043f4ed042256463be1957283301
-
Filesize
261B
MD568069033890e02a8ca23ae9f274b44ef
SHA1fac56cb4689f78a9e3cf68dfe4c24f1d3405c677
SHA256815ce104668c226e037bf1b7ab678c4f9863644b7badb30c5a4c63ad729b087f
SHA5120f35e9f33f79dfe47396a56ce57dcc1bd4abb3e7f83797579a82b09b40b9545e3de42889056a5f5185b96105c534c773b013bb1e2a78c9af1a1f4fec86d24078
-
Filesize
180KB
MD5db1841bfa15492d1f6a4b46e921068a4
SHA19526c45f7a9d59e0a5dda1b57ddbaf8425716e9e
SHA256176b2fbe38f0d14ee68c65c56e2731646473c0f51e92d3affd2048959fab6bd8
SHA51222110b41d057696ed5604c84fb40c881024cc8bb045135e258e6f7b0c5baac29d40b7b2b4cb1c4a3391ab2944b43c6b293ec628901abf6447124404111e41b18
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
58KB
MD50ba2d3a3cb7185c7111c565e039e9b52
SHA19381f3598acdc21136141674fbb7e05c9498dfb8
SHA2568366f11f3df2673f21db892e6199c38055f7895dcc43f46ec3a03ed4ab94127c
SHA51225252283281019fb75df4266ed9b9a669f678200856a0369580b4108bbb4cd220d22857f111b56393f49023b864333dd70a2309caa3049b6e9ed6dcf480e1b92
-
Filesize
224B
MD5b1a28ae22847910d10f1587a4fbcbc0e
SHA12e996f8eef4d92aeab3c86978f69c2fb616b659f
SHA256de5ba4816cc00611f2aca981c1d07f6e9c78644ef225d22002075b62e12ecd78
SHA5122726070d6eeb821aa14dd5afa69288ab93b12e3e4f5c67a32412df00dde3814b0669ecdddf03d312e7e9d79b86f1eea04230dedc1c72e3d366f27a47d126d0ee
-
Filesize
177B
MD5e20f32fc0db8a384680e0402c19c545c
SHA1d08216a14a17f534eb5329ecc0ff61e572623f30
SHA256ffa90a06de053b8078c38ea81566035044880ac9c19464fdb4e3dd4d65da0b84
SHA512ebd568f00d6c2722b3bb8744614f27a88302ba33cb30c86fa85b27321bb997d9c51923e249b4d541de1b1de2b42a0e1202b51e17613608d19eb4a7ad9df6138d
-
Filesize
621KB
MD5da130e858f9bc8b2b2b55946cbe272cf
SHA189cf3bcaf0adc366e695b8ddf32165634f8a8241
SHA256dc59bcf3f7a36a41cc460f3aa3ef60b92e111d0656f7840a34682dc519b890a8
SHA512b8632a6f57052b2f2cc7000ab7b9be62b5326fabd2bee678735aad11a87c21edcefdd18080e48f831c142328f2417a8b5001ab2e2072ac70b5d83f3f4f90896d
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
116KB
-
Filesize
528KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
216KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
116KB
-
Filesize
116KB
