Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-11-2024 08:57
General
-
Target
930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
-
Size
4.9MB
-
MD5
5103a1bb4e59cbcc9d05cc7905681c9f
-
SHA1
2ef27ea1ad70d19c214586cf8f44a03853c6fdf1
-
SHA256
930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246
-
SHA512
fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8s:U
Score
10/10
Malware Config
Extracted
Family
colibri
Version
1.2.0
Botnet
Build1
C2
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 37 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe"C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpA6C2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6C2.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA6C2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6C2.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16885c37-ff7c-4169-9279-2cbb594e18b4.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\822d10c6-e8fd-4a98-8c64-97de6972f8ba.vbs"5⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0ed32d1-0343-43ab-b0c2-ab9c2f192e77.vbs"7⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c83b9d81-ce2d-4c4b-b316-5938287b2bf6.vbs"9⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d715b3-5562-4c59-9a7d-03460cce29a6.vbs"11⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd885d1d-a0f0-448c-a9d0-c73ddddf725d.vbs"13⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec55b676-0d12-4a57-81e6-6a3ae3fbf713.vbs"15⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a7eb062-181a-4a12-9939-3ba7ee081625.vbs"17⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a7892f9-badf-422f-b8d1-4d4738b45195.vbs"19⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc58c3ad-d910-48bf-9e02-96848c8bdcf0.vbs"21⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c8db79-cf88-48ce-8756-8c413b08d962.vbs"23⤵
-
C:\Program Files\Common Files\DESIGNER\csrss.exe"C:\Program Files\Common Files\DESIGNER\csrss.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3ef207-180e-498b-8b52-e66e9a4f6bd2.vbs"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5B74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B74.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5B74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B74.tmp.exe"24⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90d4709e-fb69-456c-9e48-84f0dad94669.vbs"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.exe"22⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4d79372-ab04-4b81-b6a1-837ed042dd3d.vbs"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2215.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2215.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2215.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2215.tmp.exe"20⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c0ef89-fa9e-4feb-918d-14b1bad787fc.vbs"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF1ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF1ED.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpF1ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF1ED.tmp.exe"18⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eb03b0b-290a-43fa-ab9d-7791705dae40.vbs"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2533c7-5b34-497a-bdf6-14d95d6cc51b.vbs"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3c9348c-6233-46c7-a493-eb55a3329e83.vbs"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp.exe"12⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb5c441-e857-4f7c-b0db-3d2143cdcc1b.vbs"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5BA8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5BA8.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5BA8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5BA8.tmp.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9fbf75-6f58-4d17-afe7-f7277ac9031c.vbs"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6464bb9f-8f29-4f59-af26-c66b8bf8e766.vbs"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFABB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFABB.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpFABB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFABB.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f96ac39-0e57-498b-b710-31460cda1286.vbs"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDD50.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD50.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpDD50.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDD50.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\ssh\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\ssh\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\SHARED\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\SHARED\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD523cf25a557334a68c58b37dcb243b585
SHA15f3de683c9d3745d38b3a9cf267a015be9e5d360
SHA256d73324b661817853b99f95295a1778d05cb4fe1f9dd58ff8916e09e5c714559a
SHA512d84930e6cd9d6b9c70f9e7ea5d5bb75888d66c57fe5112c0f678203474f4d53b477910d11e40c26da170ea737087e04cab88976f05187b8e69a4ad7601bda9fb
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
724B
MD53b9a34ada1378870e071de4d6377069a
SHA1fd7e521e55a428c1a110ecdb6ba8aa83c9b7214f
SHA2560af9e3cb674b1039bbfc6b66589f4c1c442a0c041988ceab54b9043ea2ab4c7a
SHA5127c3c2f8b913d0bac50501e3e8b77ac63d1da47ed90c9a730337436c78011aecf1792f65a4f5f4a53c76b0b76f0538b8582e09fbb22dff14f127d3ecb2145ec42
-
Filesize
724B
MD51c5da4e257566879f6fd686a66f4db12
SHA11a367bfb1c1e7b084e1b3f411540324ae8c4eac8
SHA2562f0c72b2f84be5c53e700e85d674f92fea478a464e3518031a59c3028ac6a821
SHA5123615c588c94578bda6d7a3c5381d4f034f887d1d7fe13659b87850107d5daf1ab3fb954791a49fbeb7e645d7659b0a878becf1796cdaa0a3e7711299a69b2e95
-
Filesize
500B
MD5a0d7923fd2b8264638efcf7e96f19ad0
SHA1d84b7d9170b53abb126938ca89da92a798f6a438
SHA2569673126e3cb0300284b6c54870fc26b326a29876075496de69f7ecc5a529b32e
SHA51246f3c51a8f17f586b503eeed021a01ea1602e9f81b2d6f04839e6a8a27be87caf58293e7d07cfcf6385a5223a813f4d6309850192d642f6b1a47b9c5284af7c7
-
Filesize
723B
MD5897ede0d416624e2c9fa6f29f3f9749f
SHA1468a97f28796087350eda32be55542e5f0f85047
SHA2565eb85acc691cd1349b8a490d074445af92c66012b6554b727684c5288e510c5a
SHA5129955714fa8859fe8c0ebe361ca9675b6736fa974b89de76f33d56b2c18344fb9f2376aa83375ca61fa315e1d03cf18d16d82c56608bfdd6b5aa99d0843a58219
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
724B
MD5e0b8e13cea19f1fe6020674b1edc6148
SHA18f749f76cc2ed81a73ae3a5fdbb916744a8414a6
SHA2565c149318e3c1ed12102fc840d5eca9debfa0fd9f62fdd26a664cb5fede45eb1d
SHA5120f93eab981e45d3139a15a664829a1c57fffd5624db4da1b69bd812d800ed257ee26e4e0805eb29e06e488d2afce238e167d38fce7ee4e83060901d1a655af48
-
Filesize
724B
MD5a46cd4b6f2e06c15104fd169b467cd79
SHA1ba7e6e9e2cd58c778b5f88be50d6fa018cba2359
SHA2567ab989f47455cb9da2edadca7bc18b6d7bc8888468c5a65a8233cafd95238cc2
SHA5120967db68c30f9940dfd88e86aee02ac79d53e53275229bc3166fcc4e0bd568f22e77ed3638e672a3f37fa9830341eddb5b7c4aed2c68a23d4942fbcca003aecf
-
Filesize
724B
MD5ba65abfe47cc54982a46e0b75c9e6f51
SHA1bc33d13afa24e7ad0579a3ad12d60a0dc85b24a2
SHA25627ee7a242ebdeb67581cc9b737d0c0aff2102f51b193321ffa7ed127c3579803
SHA5120375ecad9a7ed45c174befce0f7bd3d51bac3d62d515d44e05e3bb966090345989a722f549b0b4339f121bd8a6c461ef2f461fbf42dd7f06c9712a60ec06a964
-
Filesize
724B
MD5e2ef1769da397a97f69b2eebbc9c1c2b
SHA1ac3c363b47c762694f48e01c751756c279a66fd3
SHA25638e04764bd94086497ff4e0710066778bdff6eb0e6ed6b131ddf6b258186e748
SHA512c1c198cd268f86ebb167c3b0744256e34eec73a80150b9356954b2b88023a0b6693a167eddd92e7826f42522972b77206167d739068a0cc7bef5d5e0841af5a5
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD55103a1bb4e59cbcc9d05cc7905681c9f
SHA12ef27ea1ad70d19c214586cf8f44a03853c6fdf1
SHA256930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246
SHA512fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a
-
Filesize
4.9MB
MD593fe37de751a04f02d07e89d0c5e04e8
SHA1e5273ba16911bb5ae2d95ce360f7664747144417
SHA256aba3d445487b31a8b02d6616e9e58facded8a277716d82b041a45e9aa4390e94
SHA5124de9310c45177a2c7bddcfb33303e717bc11fd1e0fa2dc9adba62ee13f7a6cd45f6157291e494b4a7211d1ad21071ce8a721124ebc6ae48b17c885ced4a8027c
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
1.0MB
-
Filesize
28KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
1.0MB
-
Filesize
72KB