Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-11-2024 02:04
General
-
Target
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
-
Size
3.6MB
-
MD5
646a50d060ae1b649f0ca735aabf5744
-
SHA1
a666932e153ef1d2c2463009e0df4de9bdf73322
-
SHA256
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
-
SHA512
0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
-
SSDEEP
98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M
Malware Config
Signatures
-
DcRat 61 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 48 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Adds Run key to start application 2 TTPs 38 IoCs
-
Checks whether UAC is enabled 1 TTPs 32 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 17 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 48 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontMonitor\B6f2SnQ47.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQa6YaxVpO.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"6⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqes9JcvBP.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe"C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea559014-d6ca-4faa-bca0-568b3c11531d.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0af1a9d5-9978-41af-87f8-ac0d831d7407.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b62302e-6a90-441f-9304-65b07a078510.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad3235bf-f141-47a7-b575-5d44039b3790.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac0a4cb-bf37-4596-9a4a-b3222d6a6495.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b388e35-0e37-4beb-9dd1-e61e707c6968.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c47772c-9e7f-49dd-9d1e-0610affb712e.vbs"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6287ce2f-c152-4d47-96db-e1dbc13692af.vbs"23⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f86ed6-443e-4344-9da3-dee273ab6bff.vbs"25⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e0b9524-b48e-408b-8a67-1c34f70df11f.vbs"27⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\038c0f3e-ea40-4319-8426-ae9fa724c68f.vbs"29⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75e04b06-6725-4e3a-96e2-92f361d7df55.vbs"31⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe32⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\869df521-297a-4f17-824a-784b41458415.vbs"33⤵
-
C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exeC:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe34⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6009f227-822b-4d97-b08a-bd8d728c5a7a.vbs"35⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa2d9729-d642-450e-947c-68b920615fad.vbs"35⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a858efc-7a17-4baa-8a62-b176cc4cc0b2.vbs"33⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0f8d62a-8660-431e-9bb4-b3271c2f18e0.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb17c288-cae7-47d8-a364-cc0b94aa7d0d.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef20c7c3-11eb-4e43-948c-7c761d8800b9.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe32db08-0e48-4dce-a422-59e97ebeae89.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b22bd0-ab75-4896-9ef3-2255f6512a36.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ac50fbd-ccab-40f4-9cde-b119eeb07e22.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae2a550b-cb4c-427d-9add-b24fc16e8859.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\518b0239-f5dd-44c5-8fac-4389e7e06110.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4bdc64b-459d-4117-8e3b-b3951243fab1.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44ff3a40-a60c-4a65-aff0-574240a97681.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\257bdb54-8138-4ee2-9dda-93ae2dfdb672.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6da8653-2c7d-4f8b-a9a1-1329a6f48660.vbs"9⤵
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\fontMonitor\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\fontMonitor\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\fontMonitor\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\fontMonitor\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\fontMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\fontMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppReadiness\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\fontMonitor\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\fontMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\fontMonitor\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\chainagent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\chainagent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\chainagent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504B
MD51b49140a62605719e710c8a19d6f01c2
SHA1df42458a9d2a40febe94baaf7968d3a90f8ff9c2
SHA25662509ea4847755cb5a6ba15a4312b317bbb544b171618dc5ea947d4f2eefd25f
SHA5120f479bcb7665c89e535576c56c87071abbdf10fc35fb1c815c9136da6cd9feeeb547d46e023ff00a037518007f412f7daee21f56a801b08b757732365e6e2b2b
-
Filesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
729B
MD59b72e6c0008fb5e7d7e1c6b50470b5df
SHA1f4a7a1ff9186ac036df37f22ab8bfa71a092091e
SHA25644d71f0d18970826da004928288370f06931ea7a260898f1ba231633b642453f
SHA512b116e87bbf2ed4f4fdce4262f7e5154e539178c85d24d76548cebd785d8e338077d1c8d108c4441e51846a5cb3905dcbf235ddc77ae174e4b59a901ae348484d
-
Filesize
728B
MD5d0d0930d663fc792c7de3ade4a2597bf
SHA1055339720396e2b30efe320dc58ae3af128b47d0
SHA25673bdd36590c4da7bfe324b5de52a645774eba64cc98dd1e133e9dc698b5d9a37
SHA5120550120e7a8a1c5b9b2e35200dac20ac65ff254a934f9b9c3160a7a1405c5d34b09bec6ff21374b6b17a718aeb3fe5beae88834b10d0fbed3e8113a41564452c
-
Filesize
729B
MD5c50056958deaf6f4929b885fbe3c8f83
SHA15f6ada66f4180f59e333791c7be9017ca98da1a2
SHA25699cfca98adc8e4416feb185439b0f84cb68b0165c7bd6eda9a6f14205ba948e4
SHA512f5b0409328f9144b2877b524f5242f4f06b4deb95debc8d41d9fb0f2fc8de06424f6afb42d9a9ef63029555c9b62360189a96bec65343b55873b52e17affae65
-
Filesize
729B
MD5c9da57676cc40b6aca4f4581b75456d7
SHA1c061e8d618d7548f84c6ad1d66486e3c941236ae
SHA2562d84d7dd2fa72be15a85e137d55b5546360b7e8dbdd47136b53e785b62e2941d
SHA51283826b917a701a6c1f5de81f7fa61046605395c20ac411cad3a7172f52f0d2c91160cb34f7d56e5df7abbbb32414edea170ff05b00772312c1fbf2b6651fa91c
-
Filesize
729B
MD50992fd26e82b80e848451ca907d2a404
SHA196023a955fac014ebea23ae2995f58436ffbd6f1
SHA256835592d114e30dbfd1bdaf196e6910b90865dcf5bf8954288998c2f47ae02f8d
SHA51203a0b66d77eb29b92578e6733cd0a6f23f1b975001aba04dd8a54717cda9305e8f6b5b34bb3a5fb70d3b1555995117c4cb025a36d189d1112d9ccfed007fa9ec
-
Filesize
729B
MD59df6c83de4c048d922711671b5e91ed9
SHA1f4f1775674b5427e011089b61e48eff08bd332ce
SHA25658743be59f27f3785e37e881d1c8900a4540027a70330651022e887df71b98d0
SHA5127465bfef3b7861162741d1108111c70bc34a31b15fe269a63abd56b42d4bcf11198aa8ff92d4b4efec0b9656fbcb5e408c98aa5b407eb2fecbccdd871e78ff80
-
Filesize
729B
MD53c6eecd46fcf9d75b49511cf1c26c3ee
SHA11e750f326847807e3fe0a1cbc5a3fdf7ba59cb17
SHA25636e1e0a7ae5960c3517a4ad4c60a6ca2cf71d1ed14ec458d21b1219a9aa47260
SHA512a9b35d1e29fd57b11e5ae0ea8aa1ee34442f8f3d08e639d0c25f02cb44e134861c8951c240fa56eb45cf38e930e0833122c2c08d80f706490c04410a643ef953
-
Filesize
729B
MD5f29c53ddf8ff645292428ac5cc6d6c7b
SHA18c68f9445bc9edb002b0546653dcdb2f3eedd2f9
SHA256cc7b74968818e0c60105b204c0ad7ec75ce3b52c3e3481794dd2489ed197a786
SHA5127611347a6c575c0e384b9ce5c6efb64c50df1cb2b1a75cfc7c1c1f3b9ff8ab1a00bf13b8beaced7a2153a7de1c9a11c9be5601873af5f3d1b78faeccfe2c77ff
-
Filesize
729B
MD5434be426b0f3c7692f61e7e3a9560d54
SHA1eddacf4482e40abdb81099a72021b72004c02848
SHA256acb0764ef8d0efea9dbfeccc3094acdb0a9eb6569f578921a1297429c4260862
SHA512eca200c698fcddd25933c4cc579cf7207c7c249cfdc5399a9ca07cdaf0550987658cb082c792f73bc611a8163b5ac1ccad7d45cad969de24891c1e8943267a2d
-
Filesize
729B
MD50c162767c75b0a2df55bc0e14a6cde98
SHA1517ce7a2aaf0b50255028a8cb2daf1eadce33984
SHA2560e87c386a9f6d23b41f3fe121d69fa2beba5cd484c12a4263cccf88586de1f31
SHA51227f05afe35d3b7814de301d5359f4dbb19ca7606ae85c3c3f1f74b7e4b3b010a8c359a2985cdaf6489c192bc92466c1f2ef80be612c25491cf0ec37a9ca0e48d
-
Filesize
729B
MD5be9be27b6d0b909bf3fcdf5e93004095
SHA16301830c784401e44835376b647cdd400479d2bf
SHA2561524f5cf19089e58c8274ce0140086c6517551e2f18c7fa0b2cc5223b9980443
SHA5128f68ac45e647453564cd9d047e503f02fcb77b667af95ba251eaae9bbe637050f574198a2190ab553380525c0c054a82f4a3562072bb1e213801859541a4ea0d
-
Filesize
729B
MD5183401f5ed1bd8813e9e9dad3681677f
SHA11a7482255bb696f99f47dc8c7c550e26cbe3af43
SHA25667222c1248f86e6066cba09bd1f260d709f52fe0d5c8b849041222592e0bcfdf
SHA5127b36dbb6cadb2ae8c09d55b953dbed6f411436993884f61a0a7689180ef782468393e4172fdbf90837c03cecc35e41354fa4ea2b145611c05172da5494bc15fe
-
Filesize
505B
MD50e2d53f22f44767acfb3695446a42fdf
SHA1af6803d40ae74916a19eeddb26a3015fb034f51e
SHA256ec4d7b53dea5232287188b1d5f22830ccd6dc06583da462bd8649bb6200a49c2
SHA5125bb16e75eba0855c09f8dfbe0ecffd8ca82ee88e2a22b5d6a6ccaba722a575135526e943506941289aa35d3247dd7f5990a81e16f63ce7961ef1ccf0021ae1cb
-
Filesize
729B
MD54a938ce28e29483973ceccceb0339f64
SHA1c42249b58d84a970c5672f9eef5d4b43a7e04863
SHA25659582b95cff3eb1c10ac3edb58a72026c5f0f707e202c2634f022115d124d208
SHA5125ed0201d6f87527386433946d52ad778e7640161e317c703c2b53f0c0010df57c60a701dbed2bcb2cf717196c877889a940eeddfcd5b3de2a4fe8dc6482ffec8
-
Filesize
194B
MD5151937499948935873645e1193f58178
SHA1eb11bee2de8bbfbfcef734e5385813d3139b64d4
SHA256ef9a02bb26fcceac932c1c4c94f36019dcad0ec6f467ca494ec1e97cd95ac9b8
SHA5120e45126143fe8c7db30d725eff557a3a44c2e42ab96a2b44147d32056e3e1b5df5648bd766b1d0e97078a7bce072037b2104970bbdbc07c294a580020f71cc14
-
Filesize
218B
MD57b000ee9f68c0754fc61316be0f79850
SHA12dc6c3036037d34b9ad82ade751ba27d40c0f6ba
SHA256b92ed271dbc45891047755b3fbc5fe99d151aad32079162b26e8d092468e3346
SHA512c7d31f120b084c0f979b019eef8af1eeb38f40ee80c46ebe8a700448466a91b102cafed9317cc2c6a9dbcd33b5a47410d9f823e4cbcac455766f2c5e27993464
-
Filesize
31B
MD5d919292d76ba6af3f0a7c88b2d07c4fa
SHA10fa76a1456603b525f53d9e787d1a800172afdf8
SHA25652bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c
SHA5123a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5
-
Filesize
197B
MD5692908a9fe7461b9736233b4b217f221
SHA1b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d
SHA256d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f
SHA512f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788
-
Filesize
3.3MB
MD5e74be6bbac3ea0713506397d5d6ef541
SHA1dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9
SHA25658440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7
SHA51209f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
3.4MB
-
Filesize
72KB