Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-10-2024 03:27
General
-
Target
a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe
-
Size
4.9MB
-
MD5
7faed207d5f74070e86f9f0b67985bd7
-
SHA1
dc6e45da39c6e7bd949c70b768006b23a424f238
-
SHA256
a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b
-
SHA512
615da33c5d754be2e9f9ee43c766cbb248fd701d92933484d0c8cc6f7764063e6238da368a50ae31d3a88c3437338ad039c4d801a3f43f5554706861bec97057
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 48 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 48 IoCs
-
Checks whether UAC is enabled 1 TTPs 32 IoCs
-
Suspicious use of SetThreadContext 16 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 16 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe"C:\Users\Admin\AppData\Local\Temp\a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp98B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp98B9.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp98B9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp98B9.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xb3wPgb0HP.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa208b96-fa28-42bb-bb3c-160cdfd4215d.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e33841-88dc-4b57-bb74-342812fd9920.vbs"6⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671b2a80-8e51-4d42-abc3-285ffd618de7.vbs"8⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e63f7d-e3c7-4930-804f-6b33b9049a61.vbs"10⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a9960b9-3e00-412d-99ed-2136667b09ce.vbs"12⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed101bc8-99c0-454d-8c78-7efa32a2b976.vbs"14⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4230f941-35f9-4c8d-b7f4-98fa1e8b6c3c.vbs"16⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0dad17-55ca-41d0-9d15-eb45a353eb5f.vbs"18⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f294d3fc-c5b7-4ec7-bb0e-75f1747375af.vbs"20⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d57c318b-27d4-4dfb-a4e6-962c2ea51a2d.vbs"22⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c44986b5-1028-4ce6-8949-b3533f95570f.vbs"24⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ddb8b33-8781-430e-946e-cc0cec0de90c.vbs"26⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d58ac3-41f3-4048-aff9-04994b17e028.vbs"28⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc115ce2-ceec-478b-a787-a526778218fa.vbs"30⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e81f9015-6fa5-4bb0-a12f-e7dfbd5d4d6e.vbs"32⤵
-
C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe"33⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496ec0fa-3b1f-4e5d-86b3-afdd0543f411.vbs"32⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC3E3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3E3.tmp.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC3E3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3E3.tmp.exe"33⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41052233-7190-4345-b5e9-58d2e77eb178.vbs"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9476.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9476.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9476.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9476.tmp.exe"31⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\116c399e-afd6-4ea8-86bf-b2725b71c5e3.vbs"28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp797C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp797C.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp797C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp797C.tmp.exe"29⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb840ca1-e95a-4d05-a8a8-cb59cc451561.vbs"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5E43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5E43.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5E43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5E43.tmp.exe"27⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4288c50a-6ae7-41ac-a54f-06a8d90fa7a0.vbs"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2F15.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F15.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F15.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F15.tmp.exe"25⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66433bd9-af26-4615-9328-551ebe794ed1.vbs"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1478.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1478.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp1478.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1478.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed4de0f9-a797-4553-b0f5-a21d96b3567d.vbs"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF920.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF920.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpF920.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF920.tmp.exe"21⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f031a15a-0225-49b2-a2b9-2c8aff5bb7b6.vbs"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC927.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC927.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC927.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC927.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68fdc07e-a7f3-4372-8aed-3606bd92af5b.vbs"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.exe"18⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f35c43-d447-4b42-b5b3-b1108f11f680.vbs"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8037.tmp.exe"15⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48783b1f-8eb8-464f-aeea-e60d6f8e47a7.vbs"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp64D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp64D0.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp64D0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp64D0.tmp.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aec36c51-e848-4c63-8a3e-a56fb1e902aa.vbs"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b738bf1-8457-4f87-82f7-01e7c3bd7c15.vbs"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp431.tmp.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b3def1-725c-462b-8dc1-3c9c56539001.vbs"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE89B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE89B.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpE89B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE89B.tmp.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ea14629-b378-4988-a74b-5940b8c0efc0.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCBFB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCBFB.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpCBFB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCBFB.tmp.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\swidtag\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Desktop\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
740B
MD5e070bdf43d694ed339eb9622719d71cc
SHA1b94c54d9f2ed1b9d4d264c0e896cb27378d745b8
SHA2560cf861c526c0a7bb873138ed607fa5f91ae68e32385d4152789b9002ee7aa88d
SHA512ea5c1bbffa24f16d2982becc9aa2ef1185dabdecc93ef7f9d3b984c6b5f6644ac3be3340691b7dd55390670dfec423ee0412eeb9a4ed7dd0c2fb79c634dfa128
-
Filesize
516B
MD53d2cd6b8c4f3f35ccd4b22af47cd79c9
SHA133bc891f08416bce3920e824235a9dce0a8c3a2a
SHA256d296d7e07872cc7da4992179e486115e119f532f1d864b0065508b887942e2a4
SHA512f2010ef7297a9f9d8d53ca57be4b2391b0f5b048e44a9b79ef72d36d24977992d9819d066245635d3d2fc1b7f9182bfbd2bb3861cf8185bffef84426a5ab2a52
-
Filesize
740B
MD5cb2c6dcfed3bc1f0018b589e386512d0
SHA1831f62c50f057cc0068599cfb3cdeb0ad4e643e3
SHA256f0e10c12a7c3236d0b76cda521ff8b9dcde9cd6f52fa4003643bb0102ae668e6
SHA5127d58387c73b2672b2f68410f91f2feb41d8860caf07ced8117689f0fcda843bfb77247371d06214d68590e8bf52e8e445b054aee918c6fabac6cf9720ebe05ae
-
Filesize
740B
MD5b6eb12dbf4ca010018f066b4d0659199
SHA1a7cc9f00733d9e1dfcf2b64b699555bf09719b13
SHA2563f7d6cf527c2e17e4697352fba08cef4d660512a106884aac80b02b40595c2ee
SHA512701530984b28ce7e7918145248a041a097cfc353f0762ae9e73facca6f458c25e580db06a952ff24a3fff0b08ea94caf0774ba916f78b3520a4261048f84d775
-
Filesize
740B
MD553225bf51a2e8a8724c7fc963d4fee60
SHA131df8a2d9efca8a01ceca7e373d85d6847475e64
SHA256b6c9e732f6813e48d7683ad7ce5500c777dd8fdd6090341df264e513b911a682
SHA512be3f9f96e5bea12ac57f3e0cf073ccc1ca1d1778cfa9da9cec8b9bd0689d2380d2a485847a0b9d56d626262b82633254c133a77af260bafc94fdaa021f103bfa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
740B
MD535a1c4a6002bdcc6f550fb6b6352ec0a
SHA1be514ba02731085469d4ba96e7feb9550f030e5c
SHA256f8e46515e04acf85c4688363f21d3c47d208bec48338feb96e2333e37776f832
SHA51243209731a972f8a834ba777a893ef102eaf5279b019e31b18fb967fbf00f1c0bfc0e80c6aceab531a27c5e3e5d26462a5a753dd9c99471c26fd0658578174d3b
-
Filesize
740B
MD58f8bb7499b4f810e53d510c1d4253641
SHA1827a1831c575f2bd5ddfdb0d408d68e2d1678779
SHA2569e9035f8069f244a327276fc6c62e612c90a4ae9746464a61d59727015a840e2
SHA512495cac907c349c313203ca84efe23d3a02a5ad7b150fa2110d0dd6320a48427cc1efbc387f81acea1400af4549639ff2e16aa92e7e67266d342bf6f8a73cf711
-
Filesize
740B
MD57580eb2139c8fc76a7868175c13aef27
SHA15548e63e349f8d561e5663892de69408ad2e968f
SHA256bc043822e528d3dda43edc6424a0bb4230d2e71125b2ec3cdb133706d5cc6505
SHA5124f961761a255a050615c29b64ea08f00003dda19a7b40f623ba66850a9981d973b9322a23c81ed7b8dfd1e04af731676b5cdd12d74e56dad98649971d6ef2987
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
229B
MD5850fdc2c4d6d104d280ba3198d385ba9
SHA13b55c00191e0911d3347909b0d6b86bfb29a8439
SHA25616f610c58ac9c2771f6894f7a8f3fc7646e25eab333f782537aa0e301e1400bc
SHA512853f780c93969c6a9767a57c0ba9be89f92bc4a8199c71867d79e36b3be65f8007ebc1e07e64520d7f8bc08af1698a21b6d05aa2f948720a379b0ba8736e66e7
-
Filesize
4.9MB
MD57faed207d5f74070e86f9f0b67985bd7
SHA1dc6e45da39c6e7bd949c70b768006b23a424f238
SHA256a59ee5da5832f84997cb73323970bdd1b0726255079d0a0bcccdf517b685776b
SHA512615da33c5d754be2e9f9ee43c766cbb248fd701d92933484d0c8cc6f7764063e6238da368a50ae31d3a88c3437338ad039c4d801a3f43f5554706861bec97057
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
5.0MB