Analysis
-
max time kernel
899s -
max time network
901s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-01-2025 04:05
General
-
Target
dabf40b2ed8d96638f713f6373ef64cb.exe
-
Size
2.5MB
-
MD5
dabf40b2ed8d96638f713f6373ef64cb
-
SHA1
4c9479e54b394722bdaeff1b36d903502cd1b1fe
-
SHA256
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
-
SHA512
0a9abca78917efea2b77dcccf862761e99001a26bba3de871c233b07500c7e414e32ebd41f93e23b332696db1d56aaa9e8357e60ac32efbf06c13bf40abf1fd0
-
SSDEEP
49152:UbA30QsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifV:UbcLlK6d3/Nh/bV/Oq3Dxp2RUGV
Malware Config
Signatures
-
DcRat 55 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 33 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 34 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Drops file in Program Files directory 26 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exeC:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Mssurrogatebrowserhostperf\Serverbroker.exe"C:\Mssurrogatebrowserhostperf\Serverbroker.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7d5e75a-45c2-44a8-bcf6-b4e7f778c483.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9911b3e7-83c8-4e4b-b3fa-9d51403fddec.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561692f8-04de-4d1c-bce6-4cd466b7ecc0.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c94a08c-7944-417d-a842-493aef615c0d.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7d0b987-f63e-4cb0-b58b-4c4a2a01c7af.vbs"14⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d18f5003-18cb-473f-833a-72d1eeebcddc.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a590be0a-8289-44ea-ad00-048f8d48ef92.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19476b80-e2cb-414f-a689-6e3f35eb6aa0.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50731987-3051-471a-876d-dad6e43faa73.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1cbc276-44ef-40a2-885b-04fd270f96e4.vbs"6⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Mssurrogatebrowserhostperf\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Mssurrogatebrowserhostperf\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Mssurrogatebrowserhostperf\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Mssurrogatebrowserhostperf\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Mssurrogatebrowserhostperf\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Mssurrogatebrowserhostperf\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Mssurrogatebrowserhostperf\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Mssurrogatebrowserhostperf\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Mssurrogatebrowserhostperf\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {B32E3057-7D13-4B9B-BC82-9F991168E66B} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bb53b5f-9231-4513-928e-5629c85ef7e6.vbs"3⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b5b6753-4344-417a-98cc-df5d194341a2.vbs"5⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272d3a21-72e1-4a1f-bf42-b2aa37a45b48.vbs"7⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b588fd-7099-4485-a65f-c01855270c32.vbs"9⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8143388e-4dfd-47ec-96ca-75485da58a5a.vbs"11⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9811ed-aee3-4f08-8715-0d160ce3da54.vbs"13⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc46c8cf-22b7-4417-94cb-e514e583dad3.vbs"15⤵
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df33ea55-746a-48cc-90fd-695cc5e62119.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a54e8720-11bd-4775-a112-a8384415bb80.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52acfa56-f85f-443f-8df3-faa21149e5fd.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74982970-8372-48c1-a20a-72f1cf0f2cd8.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d51e0b13-83c9-45e4-bb4d-da4d09f476aa.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08ca8976-0619-49f6-8f0a-20672280ec89.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee46c45-1550-4cb8-bb8a-b40b7ced274d.vbs"3⤵
-
-
-
C:\Users\Public\audiodg.exeC:\Users\Public\audiodg.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Mssurrogatebrowserhostperf\conhost.exeC:\Mssurrogatebrowserhostperf\conhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Mssurrogatebrowserhostperf\lsm.exeC:\Mssurrogatebrowserhostperf\lsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\Favorites\dwm.exeC:\Users\Public\Favorites\dwm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\DigitalLocker\smss.exeC:\Windows\DigitalLocker\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exeC:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Start Menu\cmd.exe"C:\Users\Admin\Start Menu\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft Sync Framework\services.exe"C:\Program Files (x86)\Microsoft Sync Framework\services.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\7-Zip\Lang\OSPPSVC.exe"C:\Program Files\7-Zip\Lang\OSPPSVC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\audiodg.exeC:\Users\Public\audiodg.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Mssurrogatebrowserhostperf\conhost.exeC:\Mssurrogatebrowserhostperf\conhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Mssurrogatebrowserhostperf\lsm.exeC:\Mssurrogatebrowserhostperf\lsm.exe2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\169106b3-6cdc-4df4-8d45-37348184090a.vbs"3⤵
-
C:\Mssurrogatebrowserhostperf\lsm.exeC:\Mssurrogatebrowserhostperf\lsm.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901f87ca-bd48-42c7-b92c-be2a3f3a9188.vbs"5⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472d37f4-9519-4040-82a1-eeb2c9e6dbc3.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc80efe-e4de-47d1-9c91-803cb80c314e.vbs"3⤵
-
-
-
C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5a7e0475eb8e2e26e457a4c752dc26444
SHA1060c460c794a47f44686b717eb8d15f1945edb58
SHA2568ece9e304ffb5cba5d51cb2187907d4910167fca5f67a59d316fd9d2ce47ae52
SHA5129d7cac7d9fd93e3b88c1ea7663af7687ae08e8ee39dcc1549c4fb25d7342f3a9774b7f8e7c1b50ab96b09629ab4c587548a5b1063c843132277c7baa2069cad6
-
Filesize
2.2MB
MD567f998093c11d8a104aef7a92a2d5b26
SHA1cea4392bfb620e2d5b303c7f39fe68a30080a771
SHA256f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1
SHA512e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92
-
Filesize
160B
MD5fa37ae621180833b315a091613c1540f
SHA188d6ec7192566b085231e6a6f05f813a8355514d
SHA256f3f37ca346054c66639f1320cccc5b8f618ce747c5f9086bd18376a9a42a3484
SHA512d77768e84e9e01e3e64e00914c5e8f1067796a369c71939641f052c9f9b7d17aef5c9b5e96449d610976f45e291b567c49fc374099a9284c8045ca51d51c9bd0
-
Filesize
2.2MB
MD593cb1ef2a84c5b2705b5ff4c183e7a76
SHA15d7ff4ee651cca4e7738f50d2cc03ca01d0eed34
SHA256bd18470960eaea5e387e68aefb4f98e699b1fa91e2f9d83f72a65d6563d801eb
SHA512aa00bc4ca6da4fed51044128d92c578ab9002c085be37e876e6ce7691fc64acbfe593246241d647bb9c5f502545a159bdb205f359d32b8171f03ae8b33d3f1c9
-
Filesize
2.2MB
MD570f35d04041d9c029d59586fc6aa3819
SHA1a9f37462584d22bad8909ffc1c047cdfee84f049
SHA256517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6
SHA5121739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53
-
Filesize
714B
MD5f14d535bd26869ecc19e332b88b5f5c3
SHA1f14135f9ed5f00d65ea922f98845ba09ea549ce4
SHA256ef10109382280192ac175361e653f7db15979443a5b635b1d9b13f3b36f768bc
SHA512429c8844f5d162eb08a476decff5474f3f49b866ddb14c5ee4c761dd465f553c963ff5811da5129fce8a08d59dd610697a21d71264b29ad845083055a0a5d725
-
Filesize
715B
MD58830b693c0779acf7520fbfbbdb2629c
SHA1193ea64f0563309e7673967fbc399b7136278ed8
SHA2565a0b374fb92072c72cbd19bc9b51ff87d52161311c93637db6398afc8ffb9341
SHA512aea2f4e3e39a74369ab2c2459e3bcfade198676c963b2abb851b77312060a22fb8e7c2a269ea9f0e541a42065e67de90d1165dac075af9e18f99280cc45f75b2
-
Filesize
715B
MD5081ec095a7f78e1fc60298577cd96fd3
SHA129ead2ca5f909de3c716f2becdef4ebc63dd4ae4
SHA2568a241be2637730ad08d99e89e386e666812ce196a7679cbef018bba63053f47d
SHA5127fd9d458738d5c617ffc7e0947c6adc6b362859ffe7a40e5c09dbdb55b878737cfd8293f69fa4afa32813708e9bce12dfe0ebef2e419fb393d612b3244bb0b31
-
Filesize
489B
MD545e82df8157501cad00ed3814171872f
SHA1ccc064f70e8c52d469807d99cd3f4b1d1e656784
SHA256db1468723b6d59a38e9691b2f36e9d9fddf70895451b821a4cd13d643e9ed610
SHA5126bdccfccc05ffb77cf93fdecf93a3ce586bc843c42fc3f8b313a4ae13e548a31844edd40b6f7fb0b913d15b8489749c3667d59e924b0b09e3e1ce50651556373
-
Filesize
715B
MD509fe50f6b97822d3053c114d57ba66f5
SHA17d5bddddc126a5faed6398bf9d1adacd055fcec1
SHA256a1cb8c4abd0887b0426c40671ade506dcd73d8a5ccbbd166f86acff55399fade
SHA512e082a1f73f0bdad1059d0547e577d503187f96ab4b0e4a5f70ac39470ab6278fcbadd5dd22fad4822ebb9126dc1bc4c137fa8ab08969293b48b71b7fffc0efc9
-
Filesize
715B
MD530f94755deefc54ac2e0e00acefba113
SHA194e1fd058c8fefe1d94b3251ec97fb85fd3aa6b5
SHA25699becb8b7e43fd79cbc3fba8dccd3bdcecb592f6d1ef1cc7f197cbae631eee1d
SHA512d47641a0d73416c803053667c3fe4a6357a44e356632b57628b351aec88956ef42789b473c081606e4e51943a5fc38acc6e0cf98bc5a8190fad17b00be7d5381
-
Filesize
715B
MD50245dc48d5090bf2b83bab8161606d76
SHA156cfcfba33456f2eab935fb6ba5344084f4a94e5
SHA25631809a7bbf993351ce5c70c3a46a815da0eb140968df3f0a25a473af9087e319
SHA51252c59ac612ed2cc25ef51b67acb40ad0e274e763b667a20af8aaa1b307f376e24c76e2a251cd0a36effee4bbbf17564981d34b578aa9850d3e55d8140141b64c
-
Filesize
2.2MB
MD51f6a136b34fc862f272e7aaf0cb76c5d
SHA1d82f56ed7d8aa97995f65a80d563cba5c8a9f6a4
SHA25620acfab8488bf9f1c2460204f81c56d208c490de2a239ad93f37493cf6ee504b
SHA512c491c6f0d6188e7e12823be214b666322300511a1b2690ee7c6652362016f1c6f0867ad99f618b5f0a747637f9fbeb7f16ed153427cd759482547ecd384e643b
-
Filesize
715B
MD56a990ef523d47bc9a5980d71f80c4522
SHA1ad5b3f97ac8992714a398d14c5cb7cc9c56684e7
SHA256ece3ed0dc6c4d643859555b9d2448ea350173374bb8ea63335be06666d59842e
SHA51246ddfeceb4fe82094af6d46c39a8aebe4fe55ae9deacfcac59d7ea93f177b41f26a826a3ff81070c0ca9a329b5cdb0aad092f1b78a0ffc2c2c96f90db8c93b49
-
Filesize
714B
MD592be591eee0eee4c1ac1170a1f2f1fa0
SHA1fbdb2d1fa13321f8b5070073b9529f2f28141dc4
SHA2562b3691a7c1e468bd2ab794d7c029b8ab3893cbf329fdbb86a468f4c944e72ff2
SHA512c5b328c9290b02f868d59e0232cad1216a65d6a3080e0952ca38a4039c0fe2b03084a6fde8ac22e71eadccdda7532c73cab5148b7a9ba75ae8d05901d206fa5f
-
Filesize
491B
MD5c2229a019a2e5fd71267c02e798b3a60
SHA1e9bd42653b6b4280aac8178e20ce76283badc2e9
SHA2569f186820be9420022b1614215928c7b28a4eff80b4aadbc84f9ba79d7965948f
SHA51273f8c5754668595bce97bbaf7381abe2778f885a0b0da55ed75a2d7b68ea95900b92c26b596589d3229511f7033f8ca083e1e4a3b9dc33c513406a4c10e055eb
-
Filesize
715B
MD5c157ad7484c5cb22c2ee9c938984224e
SHA1b91b8879fe683791d525197d4452ae84706393b1
SHA25642047a048cd7785013396550d38c9beb313ea3e9a6de922f5251c83b7b8752db
SHA5126be796d22eb591a3e7074c98a8708c38caab420338faaa14af2d081f6a81a53226afbbfa56661234bd459f2d39c79c5b110708ae4d9db0f25a2ae44b9ee22ac9
-
Filesize
715B
MD5d2c1cd732e0211c79c47eeec0a1f1f66
SHA1345734a675cab32878d49b216f2f4c5ff1b8ec15
SHA2562fa3849e079641e1d789468520de3f6c9d394943dca7e6765d17c47c2f6c0972
SHA512a531dfd1d602ed6c70cf6a44f56d097edbd43129aecb8aaf6bb73a3e3c8b453c987894bbfdfb8bdf93afc5046847e8b47207daa3f9f0eb0c61be01bd1929933e
-
Filesize
2.2MB
MD5fdd321cafddf2b291544fcd9bcc23ced
SHA1de33a4c644f9d24ea523ea303020fb9df2aa34d4
SHA25664c17cde2090acdfcf84fa207e619bdf3119a9d458470e394bb58eab5bbe1412
SHA5128897496fb175cd90406cf6284d32432b3350b2c3b00194cd25132bc469e093988c6b0f6e0bb6132d8aef476d642962f725c070f09c773a09ea13ad237933f800
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.2MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB