Resubmissions
01-11-2024 12:33
241101-pradyaypdv 1027-10-2024 23:08
241027-24hmasskhj 1020-10-2024 16:28
241020-tyzdvsxgqb 320-10-2024 16:26
241020-tx2gtszekk 302-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
344s -
max time network
346s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-08-2024 16:15
Errors
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Downloads MZ/PE file
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 22 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 50 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 10 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of SetWindowsHookEx 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {788D3406-1075-42B6-948C-1DBBDE794F19}1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f2d346f8,0x7ff8f2d34708,0x7ff8f2d347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5464 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3960 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2320 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f2d346f8,0x7ff8f2d34708,0x7ff8f2d347185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f2d346f8,0x7ff8f2d34708,0x7ff8f2d347185⤵
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122885⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8f2d346f8,0x7ff8f2d34708,0x7ff8f2d347185⤵
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5576 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\PCToaster.exe"C:\Users\Admin\Downloads\PCToaster.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Downloads\scr.txt4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\diskpart.exediskpart /s C:\Users\Admin\Downloads\scr.txt4⤵
-
-
C:\Windows\SYSTEM32\takeown.exetakeown /f V:\Boot /r4⤵
- Modifies file permissions
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\takeown.exetakeown /f V:\Recovery /r4⤵
- Modifies file permissions
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /im lsass.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol A: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol B: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol D: /d4⤵
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol E: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol F: /d4⤵
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol G: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol H: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol I: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol J: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol K: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol L: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol M: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol N: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol O: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol P: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Q: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol R: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol S: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol T: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol U: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol V: /d4⤵
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol W: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol X: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Y: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Z: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol C: /d4⤵
-
-
-
-
C:\Users\Admin\Downloads\PCToaster.exe"C:\Users\Admin\Downloads\PCToaster.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Downloads\scr.txt4⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\diskpart.exediskpart /s C:\Users\Admin\Downloads\scr.txt4⤵
-
-
C:\Windows\SYSTEM32\takeown.exetakeown /f V:\Boot /r4⤵
- Modifies file permissions
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\takeown.exetakeown /f V:\Recovery /r4⤵
- Modifies file permissions
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /im lsass.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol A: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol B: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol D: /d4⤵
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol E: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol F: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol G: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol H: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol I: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol J: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol K: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol L: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol M: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol N: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol O: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol P: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Q: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol R: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol S: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol T: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol U: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol V: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol W: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol X: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Y: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol Z: /d4⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\mountvol.exemountvol C: /d4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14927534760399471985,18379759017282982650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
1KB
MD5e0a1aa105fc576366af6ca420a21a0b2
SHA145db607a07089575f4c144f5429cba5933101d52
SHA2565aa8c5f3a02e114f1c9d1eadead5f17ee18ea18f766dd8b93a38f7d71eed7151
SHA512a559886e8e873333536110da4e0e18dc6a26987444ceb9acf9fe16ed0ca084c5e6dee3e4bf29e2230dda88075b9ec9711a09ca5a2a5eb6e5371940ecd4595015
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
Filesize
4KB
MD50bd187f554fb1926172aba4ce6e8edbf
SHA1d6fac3a1a685f6a67b9ff986627dfb0ef4ef2161
SHA256b16777f0fae95a6510bdea9ecc769efaac5d5534229f7faa6fc2323d4bb6221e
SHA512000a720cdee1a70b767b06c04f043a0831f2cb2f7091fd57439cbf4c5824bca193e61fc32a2eb1a51d6f3bfa7ca7944f355d3fb35ec412834a45f0f19ce12947
-
Filesize
1KB
MD570a6038e60a91b48787baa8206cd933f
SHA128484cc8418ea5a4e079609d1aa43483f6274caf
SHA256ab921ceb02236ad9a56c310d8545102a6fb7c02814c380699507b97317e94a2b
SHA512682dc79b04a14e45f1a2b61cf89aa0b1442e0e2d0f766b3e512b37ff6ef9e90d5f1e16a2ed3f01148366bb38ef2464147dcb9b7c8b884c2defb1554b8f6b2b6c
-
Filesize
4KB
MD55261f013f3115cee814384bf71d1f16d
SHA1f133c5eddc3dcd8cc814170299925af4219a5753
SHA256c6a354177d6f0a9e5e5473617a12b296fafebe409ba19424f0360a9539577281
SHA512635833700d1112325f52de54c5bf434b32e90a2aa0eed515c796b34c8be8c7b04e29a69d9a66e208ce02d5b3a7e48842795f4d6e5572ba5c4135d6a27712086c
-
Filesize
4KB
MD5cec7ec9588c3e18b0c8c777d89bb5444
SHA18b56ae235ea1589f3a4e759e3b5b70f6dcc6f17f
SHA256d26af24cea86efe929c659006c4484bb9463bab3507d0c9ae16d1169083d7bda
SHA512004493332d5fac5bc9a13e67395d93b96f7d1a17f9353130d26c25237aac851f95bb8a001d36cbef88a8f077b1bd55b2f702a613221f07592f0a8cb04f2801d4
-
Filesize
4KB
MD5311a2004ad154f8fd26c464de772d713
SHA135bed052fe66b4dcc9edc7ceafb319651ad619bb
SHA2568d5688d54e410e707c60b2645346fe904710ee195c912b7db5682c103a39245e
SHA5120fcbd5f738ad2c83f591b044326b76a4e2d66e314752d394478e705a09de0d23900b64ba3d0bbf04ff8182ff26f4216dbc6869bc4684bd70b33ed121d96623af
-
Filesize
1KB
MD58365dee097e825d0ca60f4d7839e796d
SHA140b1c12c39dd9553c43217d51235166c1b051181
SHA256e18f78a774102cb9e80fca103a492528107e9df0b7536e97dc9c553676c5162a
SHA512b0ff7def037d0fa975cb448243bbe3fd9776760fcb1428e37ce244d2334b64bf8007c2554b8364ec8521a66e264d2da32c528bd01e8f6c48148b5e1fc4fd06bc
-
Filesize
782B
MD574b43b223b386913d7364860c625bd4e
SHA19712c387e020abd5884772c548614f469d270217
SHA256780cf3ff453db76a8cdfb6760236f7afb6a32ffd88d13b7446e66f37ce0f6727
SHA5127d85accd6b64a45e82cd483eda5a9b7ff9cab1cfa154c92cd645378e00398b88c3df906b7d57a861492c5054cdcf2cc38f0f11741681d02202d478f5a9790d95
-
Filesize
1KB
MD5319a215fa7341dd196bb6df006a8d011
SHA14100ff8fe534fc6f023b04fcf32219a1a5f82651
SHA256de24f92ceaeaffac83ec4d8cb633595b540b675e52ba35f18f7222ee1e615054
SHA51213160bf57806b1a2392a8746608fdd117cc93eb9fbf3e3b4c8df73fe76bda97723c8a4f3194b94639967d9975e06ce03a699650cb75fd14761f2a8ba787ede2d
-
Filesize
6KB
MD59305d5d51a1c32e4762290221e772849
SHA126829ca2a64e38fc94caee8294f5ff16eeb80b44
SHA256b8b9d3ed37c70a06ade53868f9012c491e9cb6ed45af57d6a28217f77a486e55
SHA5123a0aa39a82a97bf8558d8ba9a722eefeb05b3f2d76c2aa334cd5a6c74119f88af388749320b1a0a386c353f275d9e2a12c40a2cedac9a4c4a74ac2a2da9c0335
-
Filesize
5KB
MD5b3c0df31710b0c72af69ba4b7589cd69
SHA184003c56c9c572c7995fd89a13b981c2fe8dfbc2
SHA2565835e159db447c5b8cb313ed80ad6c4e604f81e51f5aa450928419e05a65e69b
SHA51206ee1b6cc86cb9626e2e249ac38a42ddd9a3835570d22be4da885798cbdf9e32fa0c19631c120f68d617dc3cd08346924440a209ee50402b615f357a6b416f4d
-
Filesize
7KB
MD5209710004febcc7abb3577e3d425eeaa
SHA11093facb1de1b53d51be22fdea492e430068f7d2
SHA256fc5b3ef5a27e8e84d02a6f4f810790ba1be91ebb3170650772c03687fe5bcd71
SHA51205b2d565fa0ab803d07ba48a2fc731430d2f799ab8c5a04f52293bf2b039e3b21872dcb38dffd87e2e8ba9288e6b387245c41874423bea4a91fd2a2e8dafaf8b
-
Filesize
8KB
MD57944556807d21463791c4901975f97b9
SHA1d906d595bf593ffc0ca46d91629f2e46558fac63
SHA2564474256970a04df4466ee0268ca56b9a1bbef7babc2f6a7c40de9212faf2b612
SHA5120692b441db0db66827dc81e7ba51416fb3e1e1ce3723f719c10c7132d2dc04f84c1eed6290d48700f6bbe7784e1614da5cd0abd8ff23fc7525f9657b73306db1
-
Filesize
7KB
MD596bb02be41caa679a55911f8d45af761
SHA109ddd2e9b4a615dfd40512ced21251ff32fa01f6
SHA256141cf383db6d910b1c63e4a2dfd70798ec89f1eab63f655b50b2a26e44c1b8b4
SHA51259be1c2eba0ba9e874ed3377dd9eaa8affe73500f92b8ebe1bac4f665479d69bcd1a85028496a434bd99c12eaaa0e9b65165ea50d297f3b9b169dd97a88c2cfc
-
Filesize
6KB
MD53e31f2216e8dbc58827cf8e3e6801887
SHA135893796424b47f4c0072bf6ea43a6e9d921ccd7
SHA256c596949974bca90e116a56f559959047fb8349e8f760001e8393533c95b4d827
SHA512cb0d9453a0aa9aa0de47acea9b4a1c3d71926cd1eed5e7188001b6ac608e98765eb9e252b617050486f337aafc97cb3c7d14e72ce1f1d23f0d2bafab6f2524f1
-
Filesize
7KB
MD599f77b2d692da10bca64ffdc1f12f441
SHA140637fe21641f36118bc8b2d01f1e1acf38b4a97
SHA256995844487670f306c529e5cca6805b9898e7a2e8738266bd5cbc23086f93b8cb
SHA51250d8bd85472f41f24345793aff0ad89c5914d207ed82cde38669d495ade020148dfd17d0021f1df57083d8e7fbcc3e612814f9709ffd12d11831664e0f60b820
-
Filesize
1KB
MD5497329c65fa35ef05bd685db569a4329
SHA197a8d649567b7f4aa890c93bb4e88421bd36f825
SHA256b9eb114f5bb7adb5ee1a7734d1c6e5adb5de7ca412abf8946080a5e751d17518
SHA512b8ab23660bb5907c3c6a2948c5c0dcddbc332bdbba18cfef32ad72cda2ec5f14c36b9ef13daa545086582691015da4c429451b66983aee08f648b5500f3282ae
-
Filesize
1KB
MD5d209635f7baa2fada369446761b16986
SHA124e9f6ba2d0b967126af2468722a4434742b9088
SHA256470902e356c7035dd52499ab07441b26a7bd858e315a390e3409a527b6d7033a
SHA512f562687220217b81d7a9cd2e5a52b7555eaab43544565f89b94ab3ccf61b13135c5e434a04d0be62d57c62018c902f76781869c333afd015cc5eace626e96cc9
-
Filesize
1KB
MD52473d643561214c67328d10016d84eb2
SHA122c1cd57e975e00e9f53ffd607623ea708c6bc33
SHA2561e3d306bd0d4eb8bad43bbc8506e43807aecdc013705abbf99e50fae037c6d9d
SHA512bcd1565fad86bb7eae2c10c0f7965cb7fd0f46e08d4b13468ea8626596ab6fa59b4810e3845cecd884bb10bfc7f150667855c905988936ca8377d7774fd90202
-
Filesize
538B
MD5739f1952ebe2594cdb70e3adc6d7c0c6
SHA1cd6c4d578d8c65c46feb9f0fbf5dca4b29fa9259
SHA25627201978ed3f48ebe18c2cc299590f69d0afeda02bb16216d03180cfe4a47de8
SHA512dc92186aece54ce86737a754a07f1a931ec1e383b4066e40c0ba0bac6fd881b614c5e8437a6e014f5b8410b6e78c27f8f957092430ab2ffdb76529c8b3fc5842
-
Filesize
1KB
MD5cf51207ae4e77d758b308842d6be3b1c
SHA16c2fcdb24540832804ae55e7a08852fcc4efa6ea
SHA256644cbc87f90aeaaf627f1e453bf84e2f73a5efc935c65f466c1bb36764d27c9c
SHA51243e91cdb5993df240f50d363bab1e0099fc07850bf9894a905ae96d48792f3f8d9b25cf6e0eade6382d4111b3b34eda315259ce88c5793693530b69484dbf3e6
-
Filesize
1KB
MD5ae00af1c33f776dc7f9f349f8b4604a2
SHA1b190bfa3888d807ed561a04652283f5f7742515e
SHA25648aedb68c8654a4b1e6c82b11043bf632c9bc76b3a4a308c1474f8834f8781c2
SHA5125648466b2c2026e95d3878905e7c2c29ea0e67adaee6f801f9fab3f23a793f2b4ae7fdb879a4eeac634b3c80932c6eedb48d3e7c8e116181aea6864bdc3db73c
-
Filesize
1KB
MD5a6a8cc712b4c6e379f52dfc362c05bbc
SHA12b6146466c3b10be497d1808c0f91edbb3783e27
SHA25689107f9431873defd6b0329551134291fadae5aef247614062961bd7af3434ce
SHA5123bd311f5dc2c37178e4910609b8fea8cf753f3356c7bd5dcc93db4261d7675312200c3b68e528177aa44531cb2d313ee4f291a914eaa1c0ffb18bfbac6b03e04
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
1KB
MD53f1574cc3f2c409593a868fb18f2bfb9
SHA1eec55e7b58a8b313301443345f7b160d9d696186
SHA256403dc58da0717c00a8d807fbfd72fbef6fc02a45bbb31b92ab37e3099a38a5cb
SHA51204230407cfff8d759816c7483d7a33122480d153caa1fcd3f461a3344b3f8754ff14d5a1241b15675cccee8615e75c2f9bff3805e2eed3019c98abcb5088a414
-
Filesize
11KB
MD564d3ee9b72c542d6b608adeff3210815
SHA1f114d3dc6304962e1c8ed24057375ead44644a06
SHA2569f6c9167a96d085ba4b648e1650aef7b465107836c7c73e88322085adcce07e3
SHA51218ce6a551cc9e650ec62b1c01903f78ead2713f63ddc448d9ee2eaab10ef044cbe056453f3b98f6a5abebce48c57bb67fd13ad0e0e4d2ab3deae815946381541
-
Filesize
12KB
MD5effdd4c3f05bc2ba5148a003a77a9eae
SHA1825d079edbb5253521a0a9582dd7fb79757dec0f
SHA25676d2c5571ade074635ef7328b2d223cc9006da862f56f8c3d2cbfe89e0302c0d
SHA512656d226882b979e135b672e7d896c6230ca829b4994933a09c83abfbbda3e9eee994b4c18994fdf01ea066ddac95d27dfa51d9e69d8cd89eccb53b4a08142fc6
-
Filesize
12KB
MD545e49d2533e70a44673ab4a355c7aa38
SHA1e9ba22dbde91bde6f3c9a7772f1ae6d582a81fb7
SHA256640a809ba2458a9f59c63b56329559c82bbce5731be8a4b20bc633dc9bffc7f5
SHA5120bcdf6519c8d5b8a080a6e58f180fa71fe3d273359dbf278022b9253bf4b54fde9febb120c6c8c373e0da0b82b74c69ecb4694f0f73bbe08e16c6493c20a520b
-
Filesize
12KB
MD5af9b7de647a2df21873ec3b96efc8ce5
SHA1ddf037410f0d8bb819804dc8a6a81684dee0c17c
SHA256e6050c1e3081ff29b5701385127a8e06fc3f126485e1b328fa5f2e7e1e59414a
SHA51240996e733a587f49fe7eaae30283ddac820765dafa7b49c3462b7387f7619742d41f535dde777dd648d8344b44a73f6e652bf4860fa5dc3463773297dd1065cf
-
Filesize
12KB
MD5fca2f5c6887d6771d493d1ca81596438
SHA11f562e2588c89a7f59df5429cee81b8552d39761
SHA2563e68d69dceff73c7aa5f8d40b9298582a68522cf01fe618563c113ff7359daca
SHA51262e1221d0671813b6972d4dcc8bc4e139bb516222c1828ff147c739e98055fc4125cb80dac27e39474f87ef2b2c767c9ee7019a1d70cc31ec65c894cdad3ede3
-
Filesize
12KB
MD5234b7833865a5bc4f4a9959d757a3916
SHA1898f88a7c83adff2de1c8111d7ef4cee90f9f53d
SHA256d5237c276cd6b227d85ffd3b7d9ab968af02152f7ec0e61d84f2e256bb00a565
SHA5123a8f2352f9e4d2054ae37b0a7979637d9aaf87a5ef547691078f41b5d1c4322c0b13dd664d9d6ba26e0f7d15bcb7b3b72728231857b79c79bab9114739e5aab5
-
Filesize
12KB
MD564f4a2584e7c826f17105ad4ecfe912b
SHA1440e8f5270e5bd3f017d97834972b615bfddcd07
SHA256966eefe071ef4c49e2123bb23dd9146b3852f6b1a984de92963af193c2b1a91c
SHA512a89f83ce9562789cabfd088b1514dc3f1433fff37438911f0d2c77f3ee06954cb0a8e83ced69624d830fb04722dfe22430305ec5524bfd1c0077f2949971ddba
-
Filesize
36B
MD58708699d2c73bed30a0a08d80f96d6d7
SHA1684cb9d317146553e8c5269c8afb1539565f4f78
SHA256a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA51238ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264
-
Filesize
176KB
MD5bc82784f4aa47bcfed93e81a3b9950f2
SHA1f5f2238d45733a6dde53c7b7dfe3645ee8ae3830
SHA256dd47684334f0a2b716e96f142e8915266d5bc1725853fd0bdc6d06148db6167f
SHA512d2378f324d430f16ce7dcf1f656b504009b005cdb6df9d5215fe0786c112e8eba8c1650a83192b6a9afad5892a1a456714665233f6767765619ccb5ff28e2b8a
-
Filesize
11KB
MD5bb64511183ca5ab431a5ade01e5a1aa6
SHA18e3670896514a6e67622ddd5c009495ee2691810
SHA2562c50e983a04760ec987736f3bbc5a3aedd3b54eb56589f332bf33ec1328738ae
SHA5129ca52a6d04c92483aac11caf8f6643d9201adf2e241e765d2d46c91c19235a74e0c8388d2aadb50f697745b74157747ce5be49c6188665bfcbbe94f79fd19dcb
-
Filesize
2KB
MD520a66e5bc95450e61d324a692a5cbcf2
SHA15ae8555123e12a61862598b1f182690d6e2e88fa
SHA256109f2ea77e1739bd62d8d944806f77a249973e6dbf81c0415e665c0594d70806
SHA51212b643eec8179b50020006664caa26af181d4770cf1e72936dee5a727d8a1932cef5da60771956b05d0a996367a3da2ea8b8c9c713130aec67fc026b020559fa
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
Filesize
4.0MB
MD542585ccd2b7867c12052653e4d54b7cc
SHA1a9348c3aabcc0171d1e35edeb37fd2da0fff0ad4
SHA256b47bcc55ca8dc0625a145d6809cfa3ad78e9e3b4f33bc608b5bcaf7e9e1e5827
SHA512e270bd1fbbaaccf3382048e9ac2489444a735ed32fb83f7681526a1edb0b7847d6adb8d75064b065309293ef75c45e2ea85fb132a1c12afd08b3a1346caad550
-
Filesize
396KB
MD513f4b868603cf0dd6c32702d1bd858c9
SHA1a595ab75e134f5616679be5f11deefdfaae1de15
SHA256cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
Filesize
411KB
MD504251a49a240dbf60975ac262fc6aeb7
SHA1e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
SHA25685a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
SHA5123422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2
-
Filesize
438KB
MD51bb4dd43a8aebc8f3b53acd05e31d5b5
SHA154cd1a4a505b301df636903b2293d995d560887e
SHA256a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
SHA51294c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
110KB
MD5139df873521412f2aebc4b45da0bc3e9
SHA13fd72fd5bad8ee9422fb9efa5f601f6b485404df
SHA256efe6bd2e0fc7030994fc2837b389da22c52a7b0bbdbd41852fcaf4308a23da10
SHA512d85cf83d3b2cf9af3076e40d7419be42a561bce1160376ba580b3078b581ed2bd6d274fb2a0767aa81a9e92052762f39c1c391ca0cac3043ad85a72862713bd3
-
Filesize
110KB
MD5ab648a0df4fe7a47fe9d980c545b065d
SHA1ce28ea7dd117289daf467467a592bc304c72d4e6
SHA256905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd
SHA5127ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c
-
Filesize
110KB
MD5f6fd80ff64b946c3687f89302fcee091
SHA161d92147558e8884403d77d2c4f80068241de100
SHA2565f1b8a21cb5927ba3eb73ef0bc277d1b9b7c633e2cd9d7d3d56945657b345b96
SHA512b68c517c5960c2172019b6fc48bb75767a09bd5e8f57775eb5f319164571554ef3e4f328f3c6ede390febb95ea76cd4a2b5db46eb9a2421b221a7f479f6d4981
-
Filesize
3KB
MD5c92a1d4d0755c886dd137c6cab43c35e
SHA1fc16175e58ad1f67c57e7fdf55333fdd0e01d936
SHA2566ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4
SHA5120525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
240KB
-
Filesize
192KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
440KB