Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 18:46
General
-
Target
3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe
-
Size
7.0MB
-
MD5
55e53232bd799cadbf2b33963cf621c6
-
SHA1
2b036582d4879b0bef521d195845f094f8e7654e
-
SHA256
3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d
-
SHA512
649d6303b2354e743db2dae1905309b92b0530f6f3ce8b45e18fb0a105617a0c152e33d4809a46fb26cf8d9e8e4328b0e76f5650926433d1f968ddb1338e745f
-
SSDEEP
196608:JFIh3NZ9An36ho/oWZbUluf2nGv8rYCZgCUxw6n:Jw9aKhrWOw2nGiYC6C+9n
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe"C:\Users\Admin\AppData\Local\Temp\3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O8L06.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O8L06.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9S53.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9S53.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1e53T3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1e53T3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1007474001\7507f297a3.exe"C:\Users\Admin\AppData\Local\Temp\1007474001\7507f297a3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x140,0x16c,0x7ffef21dcc40,0x7ffef21dcc4c,0x7ffef21dcc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2608 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,4838794448792007181,8965674130454175817,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4316 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 12607⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007475001\cea717b55b.exe"C:\Users\Admin\AppData\Local\Temp\1007475001\cea717b55b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007476001\0ac5476169.exe"C:\Users\Admin\AppData\Local\Temp\1007476001\0ac5476169.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007477001\10d5dbb28b.exe"C:\Users\Admin\AppData\Local\Temp\1007477001\10d5dbb28b.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd50afd5-6698-4ae3-a850-abf29a74f264} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c0c7e09-16e7-45e7-a00d-66daa9d36474} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3384 -childID 1 -isForBrowser -prefsHandle 3388 -prefMapHandle 3260 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d763b6dc-5416-48ce-9f78-3b7e7fad81b2} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 2 -isForBrowser -prefsHandle 3812 -prefMapHandle 2828 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b511d905-e260-4616-9b09-fc274a60361d} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35314a92-8c05-4ca9-bde7-d53d59709c68} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 4616 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf059036-34b8-47ca-8933-5e4a956d23c5} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5160 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab807a4-9053-4d49-99ef-cd24bfddce38} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a59ccb9c-32bb-488f-acfc-46066129afcf} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007478001\0a055e6a11.exe"C:\Users\Admin\AppData\Local\Temp\1007478001\0a055e6a11.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q9502.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q9502.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w83a.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w83a.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C220K.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C220K.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3032 -ip 30321⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
18KB
MD5d083e413e7848a7fa23b992d73784318
SHA1e18e17e32a1661b06e9b5fc3a5c6df338d30e589
SHA256d10f2a64e5e669dcb310f344b59f2a9f929f8a973fa2f48b7a5cb5798051a312
SHA5121ba540ad261e874bbd2e0314e8d8dbce061ea4c765c49e101b672e7a83231583132f2b955d696fe360977eea5aa50711a8469b1a225f7f5cb0f2f8a0c62a4edb
-
Filesize
13KB
MD5de9cfa540ddfbc8046ecf7762c3cd589
SHA15b771e395afbf9cfa2cd4bd5fa9dc42054242326
SHA256e1b821088d5d828dbf5694185817bed572d37739412aa92e4b94e8cbbb9b2a92
SHA512e529632e93f5ac3ce916889d3089ec6f24610eaab37b4595b2aab8170419e6ba3f064708dfb2c9c653d28d37ec7c04cf5c11d909e5cadf1f7b612b4e20672543
-
Filesize
4.2MB
MD51b352e12943c9b113607e78cdf7f1e88
SHA12978dd75e9ad8aa608d41f430e2391ac94661cfe
SHA256e14efbaf799412719eebbbad024b9fe3fae5aa665e7b885cbc05466ee04f4c07
SHA5125265e205a86ac37348a7b09fef6b92355da07e9aa01ebd973f482eac0546b82350ae86cba6f629dec1b454b26c72df6256d1cf69fb1b0ab01930f734b575aa98
-
Filesize
1.7MB
MD5888242c19537f0f114634d771ce4a9cd
SHA1e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366
SHA2560ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6
SHA51208d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199
-
Filesize
1.7MB
MD5e218c3b8301592ed017608e81df8c33f
SHA11c953abe9acf0e759116d61c32d14c2b70cd65fd
SHA256d5bf9e1a3af167866dd104e9aaa4db76b172101abd31a893adf503032ebd80b9
SHA512173646bf3063c6185527e3acf2ad78d0fde734101226cb50004b943d6417a5d842fd381bacf78021ae7dbf8fe1537a1ed8edfc07cd82d5a2da778807b56d3891
-
Filesize
900KB
MD5c202b9fb5ed13afd406eb71e5cdc8570
SHA124620f327145a676c230e8b7a7096f9736f353c4
SHA25664fe0184720def98b06de5cdb4289dbe9357670a973028de21645ada7934e52e
SHA512c6d9e48c16d6b505c06cae84e83bbd9ca185a67dbddacda19de38ff4e0db5d00b8f18e7876050a45255ec4feb1d9558c221204d26cd4d04e837584f0687be4f0
-
Filesize
2.7MB
MD5b1428cca95bff0b76ab62397d02df9e3
SHA1a5b0ead9e190ce4f64c8ab23ecc412ef8dd7a52b
SHA256329ec550d7912b296ae2936bb392f56d16ac2dcde22a9101a1332e119a164c99
SHA51234b3391f0a24e42c908f2497031096ad7174f2d9e54d155b128bc1fff2922d2fb1f0688393a4a59f3087186eea19f8dc5576e9bc1e8c001ecc3eb888b805b0e5
-
Filesize
2.6MB
MD5233f648404abf3a913b830957f8bd1d5
SHA17dd39c8b950694bb87303aae1fc9e778b525a7e4
SHA256e6524526950e9fca8f5a7d001a678ca62cca94ff03491e8d45d58df263d6381a
SHA512dc9170603b2f4190496883ec7769c5dc6f1520ebe7be6b2f9b790047a6c92589a71d914887e7f2101807ab7ed1d3fb021ffe339f0e6ec38542df88c22d25b7b5
-
Filesize
5.5MB
MD5ec2d29d5856f41d23b08ac062b98ca3b
SHA1f8a0c289ff60478c0c272a5919268c1525c6e874
SHA2568d38244ff1a0f7fcd527e4f5dcbb996a14c350b8942623c2d494d757fe8ddcdc
SHA512aca94d483aa82d4e46409bd6e28a1a29edd8255dd31c2ba1d0af5f80a78d5dbe59e6864f45020853c3794008ad43685a84160c7c3d9d3aec9d05e10ee5032a9e
-
Filesize
1.7MB
MD58427e384ea4951ee4a5f0b425fa5ad02
SHA108f6dd97b593d0bc86339e1a1b7dd405f7798d4e
SHA2561498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
SHA512b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
Filesize
3.7MB
MD55d9f1f3d4d9f608cf4b976a6627e3cec
SHA150bfb5c9eb906becdfe4da87e18f9ab75273bcda
SHA25689df9d2bf9d4e04061e8f57491da4b20bae73df6a7d637188195fc6291013b88
SHA5122ed0d082edab8bf4d567359f3041ec59f1e7ea40ce111039d90a0734d0509ffed5927a49e2502738b2a88ca52270fdf6934d15898302d35881c2b3d32f36dc10
-
Filesize
1.8MB
MD573897c497394d9f83b016e6377594c5d
SHA10243a0aa886487a7e9911aaf1ed5ddb28d983b71
SHA2568ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa
SHA512e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e
-
Filesize
1.8MB
MD5f6df237f8dc7d584d8836042966a0943
SHA18749f7bd027e624de82cfff581962b2eeb6a7dfb
SHA256e0ba78bf9b945f75349fd5a76290b9b8ff746abd24f15896a277676261499f55
SHA512a01d4fe202be936549f6a1d465234164a0e315c4725efa85569ce957782ccc904e833db3b2015b173288bfa353b155d649dcff1f2e371e8d010fc197d138f629
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD56bb6c42ffd9ab0a9ba8e0eaf0271211b
SHA1f8ea5217bc106acf501e13bf1109857eac3535c2
SHA25679034ccc9477a16fd5a5c8b8f8eedbc121e17f9bf2f198909d3d34c7157e9854
SHA51287ec6bcfeda745e859c939172351c08527ea200918c339543163948c51699a5f095ebd31b2e5441d9334eff36e044b43c2a2165ff8b986d4f3e132471917517c
-
Filesize
8KB
MD5ce661a995429f18c6ed4558f73660f12
SHA1da98a72fd4dac960c37d28a4841d8886ca936d1f
SHA256bc7919f4ad8465e558a17e113c56890b82d364246da8a53a21e144119672b754
SHA5128d6dd6feb2cc89c4dfe585db97ba0f8f1b0e154c257f39feb8098be7f4b9cf60c33aedf5837aebe4eb9bb69f3159cd2f7d02f998f3295de39650316af1bb4250
-
Filesize
23KB
MD5d7b9feae1137689532040d6da741b9ad
SHA187ffe48de33b17a788edbb0b81411384e148057a
SHA2569578dcfcc3675069762748068cd2339ae1088c46d8d7594043a9f8b462922463
SHA512dba39da1fc549a6441f168f8152d1435d230bce1a242ff7c2e377e66a1f8930b0e04fce1b445fa9a0698e46d71e2fa24cbf30f805d5c7f403e069c4251a0bd70
-
Filesize
6KB
MD5200fbd35df1f71f02eaf00e1221f78b8
SHA17035d35096994b39a68529c26a99f11cc7c7eefb
SHA256fa8ddeb4575f53b46ecc9610ce2f648a6fb7add0bc93105ce1b3cfbba9b1d2eb
SHA512ca201c41041809d0b3e1e4d7bbd14bdd65257d025b2fa8b9d1eba897b6f25faecad21604c67c06640c146aaa76759dc1be3c6f708cd904bde7933f1fb2dd1967
-
Filesize
15KB
MD595e05986007917f549b803e7be6e196b
SHA1d0d098d8630b0401094f6ab39faedbc81adb7a4a
SHA25679314cf8d263a381b8756fa391d64cb2f7fab18d0be47ba98fa3e1778f217631
SHA51250b1cf57dba7b5dfdca5316e08ad56e9a29f682faa42519162367f419a5eaf7b186cea0a5bf2273d6cf549b9ecc0cde5ae6d05c6dd3f6d45a8a475ef2a761fa0
-
Filesize
15KB
MD5260ac677776395d572d876fa9c1e8ce0
SHA13e8cf16baffcbaaeb4b6c24785676767fa9fcf27
SHA25674926436b8060c28b272b0b9e1f4a4acc5820c71ddbe7f265f2a024904260d14
SHA512cfd787f20e9a4e718f5b313fb9170a67587b4a3ac9e7a80e5f161fb96e96715867ecb185c40fd9709584aa08ba8e67322c121f719a43e7804466d8a6a3efe7fb
-
Filesize
15KB
MD514266798a2be84c9b914bff42c12e160
SHA134594cd83c5fbed74b8c0b63773c564cd6d87fa7
SHA256e0351d29898693b290deb76b63abab24c5724a20adff6d938293114a595b9f3b
SHA5124fe9ca5fa4dcb47f34c2520b100b488a66ce04df3aeec0d51395bb677e121bfc55e790b9d4dad2b5375dae8c797c42229cfe5ed5250e71f426fab62cd8df0261
-
Filesize
6KB
MD51d11c8ffcb852ccb94f61782c0af797b
SHA1be848c3dc543106f4ca647d9d6be2775d2503041
SHA256adf873c5d12dd759e3cb5c37553aa9fddae459dfc29226dc77460a84f89f9c94
SHA512a0211580031697ed32173c3fee9053a8b92d71ff0a0476d4aba31973764d7800287e0c2057876ab55baea23892d92e836cc88e2fe9ba2106ef83c818cc9552f7
-
Filesize
6KB
MD520d90614906ffab5a78329c0afbde04e
SHA115b2f9d205db81cdad5ae47436dc6972b785e5bb
SHA256324a0dfd96fc22af8022432ed0ceeb53dfcd7198dc0519dec51b558693dbd176
SHA51276300bf3d7f56213851b56947afb764d4a02d1fb9fc371a6e1e016a3d3b365b51e10d7b42ea280602e25b40703361acdc6181886d2309534906c3650851e27a0
-
Filesize
6KB
MD5560b82f6a90861d187c55f35d2e324f2
SHA1b7f01f5d0ad4f071a97c58d837fcaaf4ab5d7248
SHA256dfa875ddd61e19cf2c59a9da6f19bac020fc04f610f1b71fecef7c1888b4b413
SHA512921f33e2cebec8be745087a72b4db2a8f055e68b001140cc9ed7391a47399217480c155603a181a9cff8f6a8c16936b99d4ceb5143047ebc76d824f284c97928
-
Filesize
15KB
MD554e7fe391e0c0940dcb29cb30a0915d5
SHA17fb016a1899a2e516dc68f3c7b79a050067aa090
SHA256b737f0c892fda94aa3e2ecaa5f50db14cb05b7e487a17e778d43b482b21f5760
SHA5120b1034c12d964d86defdb05c1f16fd03a9e82476e04b772112a9596832be0e400818fdaa9a58af43eeb5466517f8c24a8da19201318ed39d650c285f31c8e463
-
Filesize
5KB
MD597447a36e216aca01a2fa902f437f186
SHA1942f21aa6885cfbbcfaf91f4717eb4b794ba4162
SHA25677eed5072f1102da8159a3a8606e5d61bc24f7ebc876510dfff74487090f2921
SHA5127be4eb4faad384c7d70bd001c26185f2eaef1884fdc6e76e95c396c1cfdfb35ef323aa4359c99e40bdb8847d21ef7719a46bf3a55081cd9c3c712279f4423028
-
Filesize
5KB
MD5e7f162d116885b5c19818f3478fff182
SHA16b7f370d448a47fadc8d230e112d39b513f3e1d9
SHA25617fed29fc203031893d9a6ea3b66734c79419de801dab8065dcc845e191b1879
SHA5124c720c6e16a54fd02fbc0d317d6f6edf48889da6b09346248958bdc9e69df30bb91bdaa73cbd51be178c7509578377ffe4905471172b9b428c9cd651d11c0ff3
-
Filesize
15KB
MD5377959ba7dfa9b51cf10f2c991ee7986
SHA197dc2e0cc03e5404341596a099bb96ac0da87042
SHA256857ca515d405820cc9cc537008040dfa5ca549d738e1903c7b3c55127e85f68e
SHA512f91ea60d6e51d74bdc0d278fb2cb8dcf2f1784b915e5d7cab63fbaa78620283f07b0b045c9ae87f275f8729d4b7b283b7eeacaaa3dc674b8d11df909a1261fcb
-
Filesize
25KB
MD58c6b40fbdbd343396e54baad96df3e2b
SHA1a42278341579a1c485221be5ac0904e6cfd18f63
SHA256c34cd6dc9f09e1240d1be5600acec11723cb468cd72f3817c8edc91cbac54cae
SHA5120ddea6ed9b4dd8e71774a0a4ef217f737adb9fc2745004752d6e001c2b0fa4db7a6f8d8b553c8f3dd285fd124d024ccbbff768d35d3c959057a7706487ea3e7c
-
Filesize
982B
MD5beca66c6b8efc314fae17cb9f2aff54e
SHA1d5041c8a8c4c24fe896748b5c2e07bc475b42651
SHA2566b7c9eba275de100ada35096daa9920480bbb9ad99e4b669042172928b3c7e93
SHA5122ffa37fc864601ccddaf34bbd4603c42901e423f51c800961af4df798622ba278ec2bb5da2b29b193538a451ec3f695d08a70432dfb41afdfaa716325b8d73dc
-
Filesize
671B
MD5d417a23cc8421b04375ede1fcf7968fa
SHA10d87f1862151d1957c9bb5af48c00b3c4676236d
SHA25603990f22a558f5b9d75ddbf9a8082ae97e3daa8fa56907d023ff6c91e2df216c
SHA512a210243c6164ecb3895481d839929581bdf73385498658f9f1c25222d148edbd67ef4866bc12341ae1479659183792b98f6fb97cc0b968ac5117f07999b51c16
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5c8ecee2a18779f80cb0261ccdd68519b
SHA119c9e271b658336927d8f44382131713f0b224f0
SHA25667bbb5f2913e23171b1428fac73c385a4ca2b284f9dd1b366ea2db3834e1e4ce
SHA512fe68a722d9ba4723cf42312acd7bd5576f558fabb54aec0939fe6f2c46ec23b474d8e44468846524c405e60fdf7e353f86cc75e7b0f275dc679e65dfe84e8e5d
-
Filesize
15KB
MD5c65b1480d36bb596659756740c8bdb7f
SHA1f958529190e1e7af72ac42202b604e442d907f42
SHA2568f5db997aea112f964a3d2cd5fdbacd9aa3d8c8f4b045f990318344f66f9360d
SHA51222e4e12e92f95b2509fd2ee062cea4942136d9c6d8ba6a8600dd610729e548d7267540b864c30642624bef16b329f4058057dde93183e493105a52be9bef2c23
-
Filesize
11KB
MD55db1691d2591d4040ec852b63866cde3
SHA163e72e4860f62176ab785ebdc385850e824fb1c8
SHA2560214a4dc074d1941604f4955028b2dcea189da2889535e262920742fe6fdb84c
SHA5124bf304ff82b2d40848fa3016f7ee9c47c27073b0325cf9923e55058298917c630c34599960eb539fd9564266a17ad07c9597fb838c679124a8e009961e129985
-
Filesize
10KB
MD5fec60fd315501dfe51aa458e2e1edbbd
SHA10b2c9cbb4847890c3ce05d0da539dd6b90290914
SHA2562ea9d00d28b152b9b80838b264f195059a9185c1aaff0ceaf5e33f7f2a6044db
SHA512f06c581d437b57b1bdadfdb989811859d94c6ceb69d9d231af5b2c898e13acb9b09c00a61d11540b0d03e12662e8fba9c36d6005e35f5e8e0c50740610b9c29f
-
Filesize
10KB
MD5f4bc1878937c03dc653bf0cba6bf98b1
SHA13cc7d2c012ba6df4490093cd2f8ce81b8c369214
SHA256805f6b44e5a1c446eb2769fe39559af3a24e7baca428022b13a7a7ad098f60b4
SHA512eb6e88c9be0bfe18ef01f302bc48f15f41816fb43791d2fa507d397679fd41871ea1dcd41da7485fb3123c0120f026e8550190c2b3f01ad4d10923e3a9d0e69c
-
Filesize
2.4MB
MD5fc749bc6006c234d43a2b70f731e5147
SHA1f1698ccb00817faff1a9f4e2683672af825c26f0
SHA256f2d0403df79000db02c2baf1611f388bbda556f57d86be95460e26e1860b188a
SHA5122909d2b5d8304027d8938c7308ab7ff0fd2a47d85507151743152658b81171de6fc483d31dccc37cac42ce5db60df26b682ad1870e47cada39081de1ab8f0eda
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4.8MB