Resubmissions
01/03/2025, 12:05
250301-n9ewpszxft 1001/03/2025, 12:02
250301-n7vjda1mv9 801/03/2025, 12:00
250301-n6askszwhw 1001/03/2025, 11:57
250301-n4qe9a1lw5 801/03/2025, 11:54
250301-n246mazwby 801/03/2025, 11:51
250301-n1j43a1kx6 1001/03/2025, 11:48
250301-nyxmda1kt4 601/03/2025, 11:46
250301-nxbzaa1jz4 10Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
01/03/2025, 12:05
General
-
Target
https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass 3 TTPs 2 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Downloads MZ/PE file 4 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 6 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 5 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffc1d5f3cb8,0x7ffc1d5f3cc8,0x7ffc1d5f3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2384 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6348 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6036 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1584 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14908063324169748572,2988511730487645919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\GoldenEye.exe"C:\Users\Admin\Downloads\GoldenEye.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{6e37e6f1-ab4c-444c-8ff7-8d77732b58ee}\mfpmp.exe"C:\Users\Admin\AppData\Roaming\{6e37e6f1-ab4c-444c-8ff7-8d77732b58ee}\mfpmp.exe"2⤵
-
-
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
-
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 13:103⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 13:104⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\B099.tmp"C:\Users\Admin\AppData\Local\Temp\B099.tmp" \\.\pipe\{91B16BB8-AA63-4FAA-80BE-8AA7F62CBF15}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Users
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
152B
MD54815ecce34e90c0f6ca91c7e35be703f
SHA161ec0042ccee59f6bdf6b96eb9f412cc97717702
SHA2565db366717739338c23e07ca15aea2b48924a3b3ecacb214221239333b11ae7d6
SHA512751dfd6eea90fc4efb557611e8afc6ef1634c4e2bdd97f3c72638def09f644ebd8bf5696b9ed8379973106524d08c67188f7f64c0f941e8f95109920120dae05
-
Filesize
152B
MD553c68f0f93ab9a94804c00720a0bcd9a
SHA19009307d51e1fd60f9a90d77007e377c7f893434
SHA256a38f0777d4ca9e777191cc924c22eb1847ae805ab79ff224860e8c70d7f49422
SHA512a1d5b92fced821328a668fbfe9ad694b99c873ffa3ed28aa5bf1e8ef8054486289b5ddb26236cfa7c1ca0db993f306cdfc5878480b6a543aca1620075f77d670
-
Filesize
1KB
MD5262cfc83714148c20d289dbfa9c1d6e8
SHA1bf374c14a91f579e11414c252d8c912bbb95228e
SHA25658d12ccc249360e59bca3b521a89db1f88aae3375d48752b0cee417f388a3c6a
SHA51236eb3718f0a7dae6209f528e5af3b33b14eb578fe781e15a2acb50e49245f9f824ba4815e5c09b5c5f3e12d6c730c7e66e8da0a499a9e75d5a8c47bbcd7a07c6
-
Filesize
579B
MD50a8a7c3dafeb4ad3d8cb846fc95b8f1c
SHA169e2b994e6882e1e783410dae53181984050fa13
SHA256a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90
SHA5122e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c
-
Filesize
6KB
MD5a38ba4ffd6efb1da45555023a1e92905
SHA1e0f8a98c2ffc4a298494944d77beaa31117caf91
SHA256211b124016c410ce3f57789b6a8aad499883f7c743019ce208fcad406def1fb6
SHA512429374287996db37e89419d41d4cf66ca328155429d785acc4cea876c05df500788acfef97b77a8f2eeed0678a9a85e6490951db63fcb8bda371e7f519c8ff58
-
Filesize
5KB
MD5f59045921399e708d31af1333d57ea73
SHA1f039ad015e8e5a63e7d2a204f6f9ea7c82407054
SHA2567e0e5896b3c079335a37d75afe8ef353052be70392919888c4d4f89751692c99
SHA51282854710a9bf7cbf9db59c41c97e4b5b192ca58d81f44590e7cfc83561c75d97165815b9c48cfe83f87126f2392a10f5a5b44c1b7d8035ec9f24553e27d85d61
-
Filesize
6KB
MD54b0c3097f07965897ad98ef6064bb2e3
SHA19e339f0da83a6dcfc305089375a33ec0a995b53d
SHA256ef99d6fb6602f65a2e21edd5a44d86a2850388827e770ff65f22e4e7db645ddd
SHA5128d9d06d6744d22e24de47e7d850b43169675645ee612dfa2648f081653a2336a9193d6a7f2b55bcdbe6e0788f1759c4966ada184782b3151bae9b45e97ba193f
-
Filesize
1KB
MD5eb78079d6904ddc5484be1bd01fdac6c
SHA1baaae266dc94ff63b7122848e89d3117a3dd1c1b
SHA2563059a9d7d6ed80367925b5719b4cb9cb6a5c58668af1d3480a5d204ac3d3ecc3
SHA512dd63dc960eaab4f3fac29d29ed8ee914e2fd6a99450533a08ad8b6edeec8276e965c3f5b9462bfe282f7140ec76dcd428814fc9bad6b97173a0164cb22910a2d
-
Filesize
1KB
MD531651cbcb14bc0084bada62eda5ac483
SHA19726c7475cdc0ab25e27e8206b89da4d7e39c6aa
SHA256b13722e5847aa7b3412b4639f6e7781527aebb7cd8a0238a7dfab65ad11c72c4
SHA512d5437fe77c262f960a73ac9d50eb988e7ab6cdafb450a13014fe40b51189c81190a190324348f1212da0169c6da914465bf4a9a8a3e6e604b353f338c2b60ac9
-
Filesize
1KB
MD5aff948311acdf26e52c6a3b146d64319
SHA1e1371fee705974342c6849c09da3381eb575d3f2
SHA2565611772133c799d7ee97469bce810fbc8d21c7df64179f1aca1c3f4269db9b55
SHA51244ef6946f46f824dc6ac50da8b032646e4588bc96f45f0817c74e86be9f4cbe557344ff3bd1a690c0ca7384771d3b602cefab6b036d4f67fefc882bee4a14f58
-
Filesize
1KB
MD5a0a2e4ed303248fb170413363831e059
SHA1177e9659b9bcf8fe8f6bad9415900bf5a397c6a2
SHA256d982577bcb1adf937d21f75bda1e4639e6765c45e91049f83d1c79595e4f2427
SHA51235be0c2bffde0017c6fa70e6bcba24f4d9931d580a78c0abf101373dfebc319f7ddd6ba663f28e86adcb88f16f79fdf3c578d1b3a5d8a54feb29c2b93f8e0cc5
-
Filesize
1KB
MD53e6367678da5be1194b5f9d9cca5f761
SHA1d6c984df0680fc9ea929133a59c28d2e876a13d7
SHA2564d75b2911d406a712cad450251dfd296400422c7d08cafb2170e7c28f38de141
SHA512b701aaedf8542091fe3f7bf41a0ba7ca0adafab8b30344c2a459cc5384c4fc1800c88bec4807810f82b6a25b22dd90efb0b1c6c2645d792e3160a60fd2e304ad
-
Filesize
1KB
MD51bb08476b3e3f6280467e8a8098575c7
SHA1554601a115bc27d1c43504906cc41b92d575aea6
SHA2562f5ef4dc550c9f28d97674a7ec91d7605b7794745141d48b1f4c796f9ab01ea3
SHA5128dbceafdd627502a4ef1395df9a87a04dacd3bd3da3076cd5b3a4983e702e89187c0975a54c7c85e2581d44aca9dd7cb7466c5300f5c08cd691027bcb40c9c0d
-
Filesize
874B
MD53a7ef89f9e0989055000106676f80a30
SHA1ebb79a1f3d9b23f95111c68711cc0c9002f30067
SHA256196a49bc9b82b170dd6a1cd2b3c9e803311987c122fca9f583189d470725a0d3
SHA5125896a9ace373c6a1e8a4b548fa6a5fa7085aa8403f2f7b8d1e9fec7b8530f273e9936aee5e2320675daf270a5d577451c26ac8471f5c38316be72d01c1a4b1e9
-
Filesize
1KB
MD57c98d8ba4f291e484674a533580e20f8
SHA1e9ae79648a278fd0bcf8df2b9bba3f1d99e1f8a6
SHA2561052a9e5299d488d27b02e42b04cacafdcec98e5e7f93ceefa89089c07299536
SHA5125e08bb98b4948890a0883c0fb1b632f444fbee048e58589212bb7333da890dac8c47dc2b0d39d1ded0097925b16d7d8747193fda62925ed621d8fc8013ad74bd
-
Filesize
1KB
MD519cc768569dc17bf910ae2eaec7e7aa2
SHA17bb9afc6210660ce01ce2d56c1f7763a7f8bc7b4
SHA256b98bdde7bbfee9bfb85c2447a364c6ff479657a3db83fbdfb3a3e79739b4b218
SHA51205398cc8fee1d4c5424c3179160c93ba9fc072e098b415b034cd27473a6cd40a45c88da90352d732885d56efdc9b7959269ecfd75121f0c87bb34b4eeafaed6b
-
Filesize
1KB
MD59bc2c61191509d5f148bb47987ba872f
SHA1f0106b7a7c4594a799633798598c4161df25b6c4
SHA25656a25a5cb57ed6359ecd9cc0c122ee1aa96cca3db7f52e5fa26731516595630f
SHA512f427ae5526fa0879fa20eef706eb2b075005f453114ff3921c862e71c204113ababf6604f3e1366b873a38486564ef1847c11ff7da485b793921c0a418bc1682
-
Filesize
874B
MD5ceb6f5e2d618a45c992c54e9fe5af1f9
SHA11835c829714bc4a46167274954c969cfc0434588
SHA25666d6de9b1e0276fb23f64ffc14176e9c710fa4cc496bceab7e45f5314c894782
SHA512c785bb95b42fe68fcc16ce4f5f87e4662a3956f95ad68c04fe9b94bd1138e7125e77751d02ca5ed8a7786a9ef57eb563e9a3ec6d6f217bedd0913b1555024398
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD569751c01fe358e449945d3d1e8a6c389
SHA18f97e93e4fb50a2efb3964fab5a72ea06dbd5a9b
SHA2561800d9aad5d95659aa384a0f8a3f825a25ad5c9a27f5b6ed0888e9f755ead856
SHA51273c5e5b4cb361790584082e26d77d77a94be967c6c5befb670dc49905f79050818001a435e9422b412b953e258ebbb0d4a7d59adac2b837a98403da08fd941a4
-
Filesize
12KB
MD5c644b8017ea8434f3c20c28225053b12
SHA1c81ff699596b2fbe82f4efe665e8cedd2a2c92bd
SHA2567ce050aca4a06b99dbf2d429b4cf36682a2e29773fb95678469ff945a072f969
SHA5128d65b67004228d7762a966e3bbdc011f844a26175e6e024d46fd692a9443104f47016ac72eed5e3b014dc898190b6cb32c0ce99cbc38e83ba667cd17a8a60b69
-
Filesize
11KB
MD54b9c4a183130ed5a6c0f0c914d6b0117
SHA14b5ba5ad8d4314233d35fc01467cae0623ae774f
SHA2565cd8e2c2729e5e4ffce26e4a41fe3922d1983642b3ef8668ab0df7694048b566
SHA5127266d01c3d45e5d825d30bfc524ede11db4f61e02104eb0d9cab2013ad4329fc2e4d0d1b0b86d0dbdaee396616bd120ea7973db47d023c5be357344845e9dfc2
-
Filesize
12KB
MD5131641e04b0e9f3e610c2ae1085205d7
SHA123fc9731e11a0b25785f28db9556ed372d963af9
SHA256f2f4e88d0851b08f2562d13d572b391238246194f4bdf0bbead444ac2d09fe30
SHA5127d2af30d2270b62e929177e7e2a03a29e132e8306593746f79044a9c1759dbfb56df4f50264d09e87481d9b4c523f165a27d1166c8410321564825fe36e9a4ee
-
Filesize
12KB
MD58a1f29412d383e2a0bb549d297bdab13
SHA10f6aca20212059532bc19cbfb7d42cbfb5f1391d
SHA256e3c01d2cd2741720afcf0245d522a8e586e3d6fe191163fb1dbda30ccf643c8b
SHA5121c9972fc2352efffeb00c60663721da6104d4c2b6ac89f5b5e27e73250f0d2fac5e01958de22e3ac5ddc51727810d114182b14a56867f44713459a4be8b319b3
-
Filesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
254KB
MD5e3b7d39be5e821b59636d0fe7c2944cc
SHA100479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA5128f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
-
Filesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
143KB
MD5d309e1391579364a758c67fafb3b6e8a
SHA1d36d77044dce9a03766fce192629e6d2bc2e8dd5
SHA256595e2825095b12ddfba4ee6f98f4f6cb1ff1fbc37a3b3191b2fc203d486ba163
SHA512b1c5af6894983c58564a2b3b63e36edf0a2e5f6e6ab5268030eaf3027326dc2a9fc31e449a7dd12078a0e878afa753872e309e0e16bb58997e7fd3b8c03aa6cb
-
Filesize
353KB
MD5dec4a653645b61e2a571a4455ac5c88e
SHA13462a834d62f07093e3128380f7638259372264b
SHA256bd2bab2ee246af92d3cb868bf0bb4f337b6604c192a243ec9cfa992310341188
SHA5122ea846b7e8542fd11914e3cc65d3c21f4cc705c83d4a6b9ee00f23e7c86ab3f4b4717ce2f0aa273976752b84a6af15a8b530be01b697b68d23d42aaa7400e675
-
Filesize
353KB
MD56f6b916884a301fe42518e3adb5d340f
SHA1566a2e31aaaa345cd2ed4cde11b2988b4a90cfa1
SHA256c4dd2a06110eaa8d5653e0dcd3891e822a2eb7134a905fb74d6858610e7cf197
SHA512fb81897718f255ce0d0af97c657d10797b94f7b04596b3d206b1ca1b4f2e1a0e791fd52caf10489a60d53eb896ef9c88a31f546e9e73d7778ece73193204894d
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB