Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/11/2024, 14:08
General
-
Target
ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
-
Size
2.0MB
-
MD5
e20eb29aa454b5381c11c68d875a6925
-
SHA1
930c635fbfffa29ff2c58c665a7e3404c932f2e0
-
SHA256
ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050
-
SHA512
4a491b89a7f186eda3efbfeeaefaa1ced0eeca39c987606648d7a1ae62b1939ddab79f48cd725221a36da948449833f868f1ab2aff992061f884893c3a0b6206
-
SSDEEP
49152:6EB87SJq3vxVDWRkwaxgtPtIorS0+Um6XyNPTVKejl:6EB81yXautPeorSGTSEex
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 32 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 52 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 51 IoCs
-
Identifies Wine through registry keys 2 TTPs 52 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 52 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe"C:\Users\Admin\AppData\Local\Temp\ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\{C6DDFD08-82CE-4D91-B625-D0C6E2BCF792}\backup.exeC:\Users\Admin\AppData\Local\Temp\{C6DDFD08-82CE-4D91-B625-D0C6E2BCF792}\backup.exe C:\Users\Admin\AppData\Local\Temp\{C6DDFD08-82CE-4D91-B625-D0C6E2BCF792}\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\backup.exe\backup.exe \3⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Common Files\DESIGNER\backup.exe"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\Common Files\microsoft shared\update.exe"C:\Program Files\Common Files\microsoft shared\update.exe" C:\Program Files\Common Files\microsoft shared\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\7⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\Common Files\microsoft shared\ink\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe"C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\8⤵
-
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\8⤵
-
-
C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\8⤵
-
-
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\7⤵
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\8⤵
-
-
-
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\7⤵
-
-
C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe"C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\7⤵
-
-
C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe"C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\7⤵
-
-
C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\7⤵
-
-
C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe"C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\7⤵
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files\Common Files\System\ado\backup.exe"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\7⤵
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵
-
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\7⤵
-
-
C:\Program Files\Common Files\System\es-ES\data.exe"C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\7⤵
-
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\7⤵
-
-
C:\Program Files\Common Files\System\it-IT\backup.exe"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\7⤵
-
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\7⤵
-
-
-
-
C:\Program Files\Crashpad\backup.exe"C:\Program Files\Crashpad\backup.exe" C:\Program Files\Crashpad\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Crashpad\attachments\backup.exe"C:\Program Files\Crashpad\attachments\backup.exe" C:\Program Files\Crashpad\attachments\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files\Crashpad\reports\backup.exe"C:\Program Files\Crashpad\reports\backup.exe" C:\Program Files\Crashpad\reports\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\dotnet\backup.exe"C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\dotnet\host\backup.exe"C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
C:\Program Files\dotnet\host\fxr\backup.exe"C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\7⤵
-
-
-
C:\Program Files\dotnet\shared\backup.exe"C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\6⤵
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe"C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7⤵
-
-
-
C:\Program Files\dotnet\swidtag\backup.exe"C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\6⤵
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files\Google\Chrome\System Restore.exe"C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\6⤵
-
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
C:\Program Files\Internet Explorer\de-DE\backup.exe"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\6⤵
-
-
C:\Program Files\Internet Explorer\en-US\backup.exe"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\6⤵
-
-
C:\Program Files\Internet Explorer\es-ES\backup.exe"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\6⤵
-
-
C:\Program Files\Internet Explorer\fr-FR\backup.exe"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\6⤵
-
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵
-
-
C:\Program Files\Microsoft Office\backup.exe"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\5⤵
-
-
C:\Program Files\Microsoft Office 15\backup.exe"C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\5⤵
-
-
C:\Program Files\Mozilla Firefox\backup.exe"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\5⤵
-
-
C:\Program Files\MSBuild\backup.exe"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\5⤵
-
-
C:\Program Files\Reference Assemblies\backup.exe"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\5⤵
-
-
C:\Program Files\VideoLAN\backup.exe"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\5⤵
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Adobe\data.exe"C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\6⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\7⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\8⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\9⤵
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\8⤵
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\8⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\8⤵
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\7⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\8⤵
-
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\7⤵
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\7⤵
-
-
C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\7⤵
-
-
C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe"C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\7⤵
-
-
-
C:\Program Files (x86)\Common Files\Java\backup.exe"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\7⤵
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\6⤵
-
-
C:\Program Files (x86)\Common Files\Oracle\backup.exe"C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\6⤵
-
-
C:\Program Files (x86)\Common Files\Services\backup.exe"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\6⤵
-
-
C:\Program Files (x86)\Common Files\System\backup.exe"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\6⤵
-
-
-
C:\Program Files (x86)\Google\update.exe"C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Google\Temp\backup.exe"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\6⤵
-
-
C:\Program Files (x86)\Google\Update\backup.exe"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\6⤵
-
-
-
C:\Program Files (x86)\Internet Explorer\backup.exe"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\6⤵
-
-
C:\Program Files (x86)\Internet Explorer\en-US\backup.exe"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\6⤵
-
-
C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\6⤵
-
-
C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\6⤵
-
-
C:\Program Files (x86)\Internet Explorer\images\backup.exe"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\6⤵
-
-
-
C:\Program Files (x86)\Microsoft\backup.exe"C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\5⤵
-
C:\Program Files (x86)\Microsoft\Edge\backup.exe"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\6⤵
-
-
-
C:\Program Files (x86)\Microsoft.NET\backup.exe"C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\5⤵
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\data.exe"C:\Program Files (x86)\Mozilla Maintenance Service\data.exe" C:\Program Files (x86)\Mozilla Maintenance Service\5⤵
-
-
C:\Program Files (x86)\MSBuild\backup.exe"C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\5⤵
-
-
C:\Program Files (x86)\Reference Assemblies\backup.exe"C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\5⤵
-
-
C:\Program Files (x86)\Windows Defender\backup.exe"C:\Program Files (x86)\Windows Defender\backup.exe" C:\Program Files (x86)\Windows Defender\5⤵
-
-
C:\Program Files (x86)\Windows Mail\backup.exe"C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\5⤵
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\3D Objects\backup.exe"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵
-
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\6⤵
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵
-
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\6⤵
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵
-
-
C:\Users\Admin\Music\backup.exeC:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\6⤵
-
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Public\Documents\backup.exeC:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\6⤵
-
-
C:\Users\Public\Downloads\backup.exeC:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\6⤵
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\6⤵
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\6⤵
-
-
C:\Users\Public\Videos\backup.exeC:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\6⤵
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
-
C:\Windows\appcompat\backup.exeC:\Windows\appcompat\backup.exe C:\Windows\appcompat\5⤵
-
-
C:\Windows\apppatch\backup.exeC:\Windows\apppatch\backup.exe C:\Windows\apppatch\5⤵
-
-
C:\Windows\AppReadiness\System Restore.exe"C:\Windows\AppReadiness\System Restore.exe" C:\Windows\AppReadiness\5⤵
-
-
C:\Windows\assembly\backup.exeC:\Windows\assembly\backup.exe C:\Windows\assembly\5⤵
-
-
C:\Windows\bcastdvr\backup.exeC:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\5⤵
-
-
C:\Windows\Branding\backup.exeC:\Windows\Branding\backup.exe C:\Windows\Branding\5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1919363710\System Restore.exe"C:\Users\Admin\AppData\Local\Temp\1919363710\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\1919363710\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exeC:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\Low\data.exeC:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exeC:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exeC:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\3⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe"C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\4⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\TCD7FD1.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD7FD1.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD7FD1.tmp\2⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\TCD7FD2.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD7FD2.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD7FD2.tmp\2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TCD7FD3.tmp\update.exeC:\Users\Admin\AppData\Local\Temp\TCD7FD3.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\TCD7FD3.tmp\2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TCD7FE5.tmp\update.exeC:\Users\Admin\AppData\Local\Temp\TCD7FE5.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\TCD7FE5.tmp\2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TCD7FF7.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD7FF7.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD7FF7.tmp\2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TCD8027.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD8027.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8027.tmp\2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TCD8029.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD8029.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD8029.tmp\2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TCD803B.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD803B.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD803B.tmp\2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TCD804D.tmp\backup.exeC:\Users\Admin\AppData\Local\Temp\TCD804D.tmp\backup.exe C:\Users\Admin\AppData\Local\Temp\TCD804D.tmp\2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53f6ae2b9c6e93918e4bb8ba23f520e56
SHA140d5817c0683772fc6de9faba043c09b1ae6de79
SHA256a4dbe64f83e943655d4595cd5c8c60818120851e6ffe3e6e1fa8416d4a4ad870
SHA512835ddecb9876bf848ab21ffd65494886668d9d0543f8f90698a3d52d8b426b37b7ed889764909787d2ae21b808275f20b7d86d140c132b7da6bb0fae2d3c9e2c
-
Filesize
2.0MB
MD59095d840cb44c62b2c3c2f35d0e6b9aa
SHA16caee0b4c01e505555f435c8cec4cdda0c2e790d
SHA256d2b454f4f0bae6a3b0d009fbc407b14f470381dc71e889f88fafa851e90a99cb
SHA51224616aee158aa4c37b833a086ac98d934302c0887dc91122690f61928eb32cd097f2f59e0843effe281af42751697c01e27b5a2398e67e087e9b5f5bc296ed1d
-
Filesize
2.0MB
MD5bb88acea4287a2d7b0fbb36cfb0ca0ec
SHA1750f113606b76718af040dc36456205c92243b51
SHA2567368274cb1f4001e317d3e3af4cdcd006a5069dbcac3eb19e5d294481398ec92
SHA5121044658417e7b7b1da39574158730b7d79e09c077c295ea9f771339d73e4147c3a21decacbb354da2738756796b802b43e48c4b6d365d6760e1bf9629e7f1ac5
-
Filesize
2.0MB
MD50bf483010209d0ad3fc20ce0e542325c
SHA109c0a7070fce5de57479332bb2f2ddb0aea5972d
SHA2564682ab9ee00ad07e280d25e9273dc7212c553363e07768ac48f12536ea2ce1b7
SHA5121badf30cdac6dfdb62da20574bed2fac72c7d77c7064254b3bedf9fbe4bfaa77b484570bd84e57e494e131df7345cfa01aba98071070304e8cd25863bd6f836e
-
Filesize
2.0MB
MD55b3f307297bb32983440d3020a2cab71
SHA1eaf551e4f435cd612b260f73be1d9c96c120442e
SHA256aaaabaa038f712e4ee68860efc41ba2a3e13a255af9d8a4d7a4e8aa7314f25ed
SHA51275e618e96abceaf9b36d786086c29202bfc2ca16c9fd20fdac4b744a0a6eaf1caf83e6b3834b24059cf544eb5438492a33937a5f728b8f40119a72b7e2b0854f
-
Filesize
2.0MB
MD528b7fac31ab01f816ab2c47b24b062a8
SHA16dc7b1f8ddf71d47f798ff88d7807093326d4c43
SHA256a8e83a98ac71219c7dba5050ad18a15379999ae1da55fa808bf08d13f38ce5c3
SHA5125f00a2951806267c68ec0d3bbf6a5dd2b938ac95d91a01e402d0eeedf15bb7c33238ab9500947c147f027205154bb524238c5e90d3146a3063f1983c996f4996
-
Filesize
2.0MB
MD525e2ee632b0e00a01ddbe7ceb08e5204
SHA16de6f95173e5c271b6c596ab13928634bf05224e
SHA256a98a6d05c752c084f75fd1d30b011bd7726b174cd6ecf7cea6021609627e38bf
SHA512907406ce7e2c45d6732b40e0b9117f7bb8c769e58a6c9000767300acca8b0ca473528a453a0886b26768876863fd2e2c0ecf110454bb4d00199b1f9613195671
-
Filesize
2.0MB
MD5e51770b641770a5a6c4a8ce661792bb3
SHA18b0c392d344d0d406d8dc87d7b7a13e773bb3b18
SHA256373ed3f907f3e534057a3243e428912cf629f66d02e3df88ac6ee7cc26995b29
SHA512eb375eabc9e01f8aa48b3a17429bbd394a58405640436616714d80bc0c5bb493132cd3667c9bb6de5ed60b78caff089ba3d5774b892c2ca9173318fd31558784
-
Filesize
2.0MB
MD58c49bcdd5cc2c8f81bc2c6bf3db58b06
SHA1fa8484ae7e943ab2de0f84fc336a288fc26d3ee6
SHA25625d914866a111764acff4f253645cdcf33feb34851b7c8b54b54de48f90bf0c4
SHA512ba81df00f54a293062aad2a485bfeebd259fa1bea7b9ccb5259343f1eb6be8986cd07d2d6493bc0cff3fa62d0f12b9e56e52439b11f49d9e40911d831ce4e60b
-
Filesize
2.0MB
MD5a314c135dce8c714c67dd2dd6604452e
SHA15c79fe15d71cbdaeabc02a14f2787c1dc82fe389
SHA2569f043a64cd106d7e0855fe4874cc54797eb3bb048f66da625f1828c2d8816f19
SHA5124b6fa3a0164553cc9099e50c98f7b5190ff82ac77707c23456a5e7358f74f8b722bb633ea65d74a85ac8dadcd8df1343235cb6c5609cbf4e0e5eb457937e8c1b
-
Filesize
2.0MB
MD560c5108e15042798ef1cb3779990e65f
SHA1ae95f8a45e6bf34ae81d52d5209c0f1ce054d90b
SHA2569f38dd90dcbcf82c62ab46625ba7d630cb07b86812b215b759606e1ccb26f81d
SHA512ad7045cfef563c4604a656f0ea82dcfa582fd4eed24e8803f87016395b4d1bfe93e9deaf50e4013a4699fbf8cadffd1352b4e5bd521d09712c70c9dafc3f384b
-
Filesize
2.0MB
MD52dfce2909809550de99fdb5518d5b18d
SHA1206b57648704a84bf054d3e152be23673b479996
SHA256dd76edf6e16d31a889d2e438949a5d0460da87fca0bb0d86ddef9c7c8b212102
SHA512ca630912251320d5f5bda8bfe1c22dc9416c62fbc8607f12ecc43d25b10f51c543acfec42539f54a4895b06acceeed44bd6b439eaeb2b735f332fe3b7c1d9ffd
-
Filesize
2.0MB
MD53b67f12d585d3335583d41b8edbdae79
SHA10c62cd803bb2403b88c88488720471020cc54364
SHA2562f19c4d5e64be08322195c7827900d679d98e5df0c7f92dfffa49ae59bbc543f
SHA512616cc1cab4ae8e6d91660f6f03c7941d13834d1239582131818cd24aa49a6d2487441abbf3076f4ec311d9741a36f637d3f632023d15ca058f547688b28209f3
-
Filesize
2.0MB
MD56ae4d195b86ce900b78872f9dc537cee
SHA1451e5f2baeed3434924b051e3a5fd2a1a1a05039
SHA25647d96bebe1cb8b3f9e8452d38ac41b01913cff8472b02fe7ed1b4d7fd2825021
SHA512cd4e2a6ddf8e73cfb721a28d27dbb21ab1cca84f50b26abc3f64b679e291653f2d5ed03063b7e6c86c4271a0ca539d066ee571035089cdca31c431fc0a6a3221
-
Filesize
2.0MB
MD531f8f74941974d4b22dbe2339282b666
SHA170c736c37ed0f773f41cb56c8769d091e034db7c
SHA256e601114c09f0915c44df94dcc7ee1eb47627eeede9ffb0fc75c24c1775d8cef0
SHA51272026ab4141bcd180b3a8f21cbc7d0149e7871db9b78b60add1c42b3280d8bfd2d437c6a1ad306d86c7cba6e43abcc9e6749fabe6d405bd54fe73e536cc98cc8
-
Filesize
2.0MB
MD53b4bfe984f1c0e118c8b73fba990a436
SHA12a98435d8798f372ec2324089cbd81f6d94b730b
SHA25623491a99662af568e112b794891ece96fafa2511139c76d156a11517403a1754
SHA5124334577d79b786f2f1820ab1b21a52f58296858425fd91588b25e48a021cb60fa1f0783d232a9dcd2a5cd1df786b351a75ff27ebd4b92a3cae50af8f6416dc47
-
Filesize
2.0MB
MD5da31df06e181f36f08f4a134dc12b538
SHA1fbc32937692b4e6c600960b0860321ac3d52ab83
SHA2567a90a66a2fc48d581f09a2d45f1928a833a5c41a7197eb7c51db10fb1965bcd9
SHA512cf580e890a9c8c909b2b710fffabebf465b578d378599e9abc7e6f9e134a4c6adf909a97ab1bbfd4e1a06bfd552eea6432f7ade60132518a66bd907426cc2389
-
Filesize
2.0MB
MD53b6e65b1907b9503c36cc1c19ba4ee58
SHA11be985e763166f0726a5abb22fa92e6a4a78c233
SHA256d4d6d607b9f77303b99c914a6d9199c91208b93703cde2986695905c5f50aafa
SHA512bc2c25191081dfca290aedb516f09f9c20b04c77900ca8ac5d30c5263222e8aa5082db3be2cd11647fc85f55214cb94f9db0120438e2f0300c8fac2f687dbc5f
-
Filesize
2.0MB
MD5a4448638fb22411298b2cc5c18964dee
SHA18b49fec320c556508af3cc5d62e756f0e7b3f82e
SHA256b63c56425690244ade7819a1900fb341a1d05cf7cf4c43b4fa747b1f178d3c25
SHA5127099f1f13f023c00dba02dc4f615e51ea2135689b22bcf0b13a647a3c4134c5bf7a26fff09d9b4a3c8bf92f994965aff1805affa58686aaafe08b8c4eb94c34a
-
Filesize
2.0MB
MD542698a113bb2f3848912dc9618e722e6
SHA1536ef10cb3a8c3f1ad9372098afa63c26f9d7b2f
SHA256a052606e4a3a31e2f29f43832160e15098d10e7d8714b2684e340c10580a01ea
SHA512e0478a8afa45dc54f98aaaeb479280fe2e1e22380b47d9aee2a6a93ab8c33c44d1df0073231c8ca52994bf534db488e57cb2e21d2f0c181805d5b72d2c1f3f77
-
Filesize
2.0MB
MD53cbfc1ed6dabe5131fa93011949705d6
SHA1243a2bee034a00d1ab2c9b7fa7c2d1ea0e73eb79
SHA25687fe7dcf6dcd7b12cd6bd0f41100c6bed105bc2a635cf25f572a2298c6d306cf
SHA5127c261bfc4419d452e26eb3523d480be1080e6182e4c49fad033d983636ae8ea8a02ea3580e27b9ea7a5583afa9e416eb81198560216e0baecb4d211130648e65
-
Filesize
2.0MB
MD5aefb35e940c93631c527e70a553b8f11
SHA1c885387579d1fe1fbe34a5a2a000c5e942e918f5
SHA2565d61134c11979766cafbdd4931339e5f808e55be50ddfba348cdc3855a6ba1ef
SHA512e4237225ab4761fd1c87eca5da6671f3b0f5e55d0d11519737e1875e421ab6c9070353a4c8f4bb262d39e44c3d3343eb3151d6da640e55536b3a4632ddc2bf7c
-
Filesize
2.0MB
MD5691de275317f7bb46b4d79a8fa4929ff
SHA1f6bd0ff2c23825c6166ffab586bfe4830e1efe28
SHA256e7b1be7db062826b0f4aca248f2ff12bb8373b29e9dd0729b642185a2e8a63b9
SHA512f80cff78ed87d1adef1305e5dbe165c3e8691fb9eabbf6ed121f81c0b11be8543375edf634e43d996d80e77d2ea6fdeba721ec46499b6bf69969cd8f05dc8a87
-
Filesize
2.0MB
MD5a28ea39131622bdc003fe12f379f9f6c
SHA1eb145c30d87451d1c6a2eb58baf7731fc22ff4d5
SHA256d18e8d0148331023434f01a0fa9981043b7f0faeebc4d6393ef94faea0f61b0e
SHA51249b285e7477c845a22586277013bce67ef54187ac97b483d70894932d8f9dac27852c6933736034e8162a1e3d6f23123c9e4b01e80a43952c9c976be10079675
-
Filesize
2.0MB
MD5abcbba5a0a4c664d14aa377836e9b833
SHA10c93e523b72b81c4ec6cf20ec40f5c5286ceae19
SHA256b670260e10bf3c4d1a41d4287ae43b613cdc6906b6a1b1902df50cd0e1bf6722
SHA512b581ffd6b2e6a23b8ef450f8b9651bf922e1756188226bf3355b95b2c5f4b2e00376bd69d2d8e6d2dfd812934bd59fbd56f3083147304636c242e0226db2abc2
-
Filesize
2.0MB
MD5125eb212d6ed77320e25b4570b75bafb
SHA1cad9d5646054e19587030a5d8f806e8d7ec35780
SHA256634c05df9e61cef7054ff5fc7de957222563cd3933415e80f60533884cb84904
SHA5125d6f49f273c5be0fec1175a25340081f4d3efdf1625b44b97ab0183f84e29493074f11cf6433af714a6adef32c0195d4a5f7735d5f8b778bb561139ae8e2af02
-
Filesize
2.0MB
MD5130dab69d8143d91dbf744728b45ddcd
SHA11027bee1dd0b35153c0e2be207591ff9fa38db50
SHA256c26ae64f4e9e20f1f079ff3237c040bd681a107349920f60c33e796ad993cca0
SHA512afbb91852cabddc66888da00a24f5c2f6d41a5b0b4e71c1c1a03548f8e897e7989ca038d438aee45e5a346aea48921285d8d564fdf885445632e456492096e21
-
Filesize
2.0MB
MD5566923ef2e4297e3869594760ab6f059
SHA18d17765059301c4c328f3edccf421e30a23fc286
SHA256b5d811edff71d17926ce6eecd2fc675a5b874cbeebf37765ae73b2d35a2990ea
SHA51293cbbe4bca9abc98e9772d00719ad4f5642c2b4b6d3c09874d04f3ca0b3f4d0a93e852e685419019f243d5055801211e1a542ef5c742b24d612fab4e3448fa24
-
Filesize
2.0MB
MD5650ac3176b8dea483f49a6ba45361588
SHA1258e106df42ba082315be28bc0c72243a913a1f6
SHA25612b6418de7c18e2eb01f3651439bdb9944aa116c599a3d845c4b48f460ff7190
SHA5124f08cbd877eb45ab28a55e9811a26a09608797f80d79144be62e3750a82d0e16e2b3bfa54a46de5f31ae100c71d2b750880d5513c25586251a4c6f3dba160082
-
Filesize
2.0MB
MD574d4ffd6277c139bba787da20dad7f29
SHA117102c85355b7f4b3cf820a2672b1387e988984e
SHA2565117ab25456a85cb0b055068096a0e5d716441d36b09756c1ef09dd086acefa4
SHA51251ec5532dffd75f6e160c94c1f8d5ce96c7275168d114477db615ceafde20a3807e882e67b4bda0e62d41d69f3d00a6e99b53d125ff3acbb4554a21cc3bd3041
-
Filesize
2.0MB
MD5c35e3d8f4ef0ba716177fbb2c7fc0396
SHA19a5849f5d4c3ef9c0986b636c7d584524c7926f0
SHA256d6984b7ecae2561760c0a510c27bc8162ed232f72bd7a6f46ed9fa03c349400e
SHA51201d8478c653b7654335dfe0d70f6043238a78b495b6fd8062395b93d45b8fb84b24d6d5d2a1f6eef070c3d5ef8c0ccb1353f6e0ca861d0c18b6233306fe8cad8
-
Filesize
2.0MB
MD5879f8053233b2e1ce6d450aebaa777ef
SHA1c7855bc35eda04d7951e840cb0b34e56c8e0e4e1
SHA25666614e52c2a5d1b8d196a8939bb49fe993d19fc2b5c859eab16b50733e10ae1e
SHA512382d303b40be0874eb6d39118fc968c029b67fff13e606ce45b61ede53436d55488b67951fb02097e0ae339048334b3f2fae04187e23f30f670edaa1270d98ec
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB