Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
12/10/2023, 10:14
General
-
Target
9eabfeb817fb350056d1647712b7ab45a06de6182c321729dce2529870989242.exe
-
Size
1.4MB
-
MD5
59c947071beafcc89d473b6a78cf3c51
-
SHA1
05fb4ea7c6a98a12c1cc9884708960e388f037fd
-
SHA256
9eabfeb817fb350056d1647712b7ab45a06de6182c321729dce2529870989242
-
SHA512
f3816023d509c895e1643483011b212ad5a28a89537e8b153cf15a9ca937c1c1cca5db9166402a8a213bf2c110d0e5c3a181345b1c65aecd7b78d922b00f247e
-
SSDEEP
24576:JyCmcQptZtaOStC92bQi9KAEiXTj72W6ofdZCQN78gnVvmy6nISrm:8CmcQzZtajC9i1X/WsECVvmwk
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eabfeb817fb350056d1647712b7ab45a06de6182c321729dce2529870989242.exe"C:\Users\Admin\AppData\Local\Temp\9eabfeb817fb350056d1647712b7ab45a06de6182c321729dce2529870989242.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0492430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0492430.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6283362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6283362.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5856324.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5856324.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831099.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831099.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 5806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9079807.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9079807.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 5846⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7898018.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7898018.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1846⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5805⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2196896.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2196896.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1484⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5590635.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5590635.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4820 -ip 48201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2996 -ip 29961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3668 -ip 36681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1072 -ip 10721⤵
-
C:\Users\Admin\AppData\Local\Temp\1170.exeC:\Users\Admin\AppData\Local\Temp\1170.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zP9tI0FO.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zP9tI0FO.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fI8xS2cp.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fI8xS2cp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CI8By7KA.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CI8By7KA.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\aw5LQ7zH.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\aw5LQ7zH.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JF89lJ0.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JF89lJ0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 5448⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1487⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Mc239up.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Mc239up.exe6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\12E8.exeC:\Users\Admin\AppData\Local\Temp\12E8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 2722⤵
- Program crash
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1431.bat" "1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff786346f8,0x7fff78634708,0x7fff786347183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:33⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,3956730074512579408,5807334247637830200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff786346f8,0x7fff78634708,0x7fff786347183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,7677832182736925830,682349489286750368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4932 -ip 49321⤵
-
C:\Users\Admin\AppData\Local\Temp\182A.exeC:\Users\Admin\AppData\Local\Temp\182A.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4708 -ip 47081⤵
-
C:\Users\Admin\AppData\Local\Temp\18C7.exeC:\Users\Admin\AppData\Local\Temp\18C7.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1188 -ip 11881⤵
-
C:\Users\Admin\AppData\Local\Temp\1B87.exeC:\Users\Admin\AppData\Local\Temp\1B87.exe1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E4⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\1D2E.exeC:\Users\Admin\AppData\Local\Temp\1D2E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2340 -ip 23401⤵
-
C:\Users\Admin\AppData\Local\Temp\1FAF.exeC:\Users\Admin\AppData\Local\Temp\1FAF.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\20D9.exeC:\Users\Admin\AppData\Local\Temp\20D9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\24D2.exeC:\Users\Admin\AppData\Local\Temp\24D2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2F81.exeC:\Users\Admin\AppData\Local\Temp\2F81.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
1KB
MD59fa02348c6f182973c9d93e57064ba83
SHA19a45f2eef8f8681ecb936ba1a6bb3781ef5d8e35
SHA256e8089224a6528218b11e31879a200312b3116388bcfbf5e1443addd9cfae2fe9
SHA512a994f68c4ff69e704a4dfcecd68f6ab1208c65fc86622c59295911c8c82811203faa79b2c9afb9f3f0a605829c6a512393cc990eaffda854402968f974d48ecc
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD525e7e263462d1a5d33c2b9304f346520
SHA15589161165fcc6115e06fa118331495e7d91100c
SHA256edcdfe8469daedcb8789f58c90db7d60ea524770b40faa59bc705da64881e776
SHA5122287384d38dfb03b7331487cb90b91ee4ced938a9e4ee3865233a87e8ca82968aaf8e8af22b1ceae1964ae72c85f66213cf7ac0a673f4609001971785bba46ee
-
Filesize
6KB
MD5e9dfecb85f3c7b53c2036dde6884c22e
SHA106170a811b0a7a89cb5d1e972d8552065b743af7
SHA256d54716c8c03d362aad85c5eb5e62f95ada9b9ece3cd974148e3c820d825b4672
SHA5126ce5096fe059e537d868a436f0df072af042c7355ee581e5eebd50eb7decf2f332625a30a3f01df6fc03a79615033a764c87f84e3255e036c76ba4732375563d
-
Filesize
6KB
MD59f8fbeeef61d8faa080df26f37366b24
SHA1883c3a2150df051ffb9b976dd2f8505211ac4a77
SHA25603605dd32abf6bcb12ee660e82334a76ed13d14aca1444ea6eb432e840c310a3
SHA51245d4c483460edf6c839eb1b125e2a6ffc5a9f32402aab7145c6e9be14122d646cccf09482e8da24c860cce7452b8fdfec6005c85aa9e353bc4c3006c0dec6472
-
Filesize
5KB
MD5827592a5c642b33b3e8f46c640c7b0bf
SHA168d6ee0fdd8cff1483ad08b60a4eb8e7e18f81ad
SHA256595a17f6b7e7b8b127ded981b5e58c4710332e6ab6bf7b48773e3b74fe8f43a7
SHA512dc55ae1cd0dd38a3a94547e6db301b8d3bba231204ce84f31f6325cda1f2092d7b8ebeb4d2fd4b4d40498e2075aed8f0ed7e343ae802f73873dcfefc1d36e038
-
Filesize
24KB
MD5d555d038867542dfb2fb0575a0d3174e
SHA11a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f
-
Filesize
872B
MD5aa797fbbb2f6cba0db69d450e84a8d25
SHA12ce47ce21aea42407449c58d8b416d8f13006e93
SHA25666b0b32d62a2dcb3d1961a19ca21be1f9ee37dff7db5e856db3b9236c94e6203
SHA5123aa719ba0cce129f34355e78189c3a449600d0ad542d4713ec86e361e686f5df28164f70044c1515cc7256952da7752ecdba5d0fdc79b4f30bf5fbaf60a4d1cf
-
Filesize
872B
MD584b988d35cb526e2310db7cfe41f77fe
SHA1f4f5bec41393c1cd0ee9127a0b23efbb32944ad6
SHA2560a1096ba4389a6b0e92d14e858a29a6457339458b604a6c3b36f67c1f650a204
SHA512969e6b9e1fa9ed3fbb36473335fcf642127f2bc82dbb0d1e79a1dc44d1463f803927203c47977c35f9b837b0524ef6d03d6c9011c328c51635215e75af4d65a5
-
Filesize
872B
MD5abe72599fe0d32a3e1d27b3ede7dcffd
SHA1fc13f76830bc96c847347fb6986e90ea92213c5c
SHA256e0c050b3f308df93c0adc9a516067e294be46a160185ccbdc0d418cc20ff22a6
SHA512543da9565817d287bb2a71616daa59513a3ad9f36eaf64b9db4adc877d280a0fb866cb217a19fed2f4dd4f29c9db391c5cfbfbf7a855b693e8bd1f1d84136b74
-
Filesize
371B
MD5260367395225dc831c55fdb37c3c46c1
SHA1dded82ec62ea7b1fbd65a636280d664ffd15a371
SHA2562985b0ad81c4d44d6f63cc099f72e803bdf334747664b684d3ba375efab00f17
SHA512799c8084944a69ade40ba98cd268094851b3e90a33548901f90000ea45b1dee1f3564ce358e644f223da21a77089b878d25ab9a6ca3107805ba8080f29a4a590
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD56d04b2f61cf833f0cc9876e9e9f4cb2c
SHA1adfc3912154f447e4dabe044fc34a27c0d2e5158
SHA25689d7aacde99eb32e05c6b2b9e8cda42750609734f2812b3842df716a7f255f1c
SHA51223748dd5bd087ca4eebcfc76bc7c521e69cdc2c6e277541c85f80f1d907b39db2dda058a5e911c5836d582afa252d2b781d3766b75a102641c5304f685305ec0
-
Filesize
10KB
MD545739f75cbebe18f6dcfeea80b0a60f6
SHA18bea0afa11afbe03e57596cadf1f20748978d661
SHA256d2283a4b1f29dfc488e469e8abff3adc54ffe6d71cadf5a92ec83ad234a1fb63
SHA5123e6d4b64b5dc2e7fe7df67d6d45e3eb0cc52c0be959c2d504df30112c9d7d8231e5f71cfe6940d98619edc134ab51f0a99c1dcf2c8756f6f99b47f8bd0004e74
-
Filesize
1.1MB
MD500c3f2ebd783c0d49802e21aff72ce75
SHA1830d4e55fee955b8a450d5240e833bd442860b19
SHA2568f4584427c8b76fce30fb38959a22924ceb5a27ffb7bf6f7635a6124cdecf506
SHA5122b6cd368804f9810e98000ed1e3e5de87e3d9eca24e7a16a6cd86d4fa432cc21f67efec9b2831f401c0656748fdc61d3d56805eadb264a0dce9c4634881e7bfd
-
Filesize
1.1MB
MD500c3f2ebd783c0d49802e21aff72ce75
SHA1830d4e55fee955b8a450d5240e833bd442860b19
SHA2568f4584427c8b76fce30fb38959a22924ceb5a27ffb7bf6f7635a6124cdecf506
SHA5122b6cd368804f9810e98000ed1e3e5de87e3d9eca24e7a16a6cd86d4fa432cc21f67efec9b2831f401c0656748fdc61d3d56805eadb264a0dce9c4634881e7bfd
-
Filesize
295KB
MD5764547b0930c676b0f5ed551bac991f9
SHA1f31ab3d682ab58df801e2ee6ad1c8974985e501b
SHA256a3ed9b957460f7bc096e9e9b117e32a50d3a166b0ccd47b90411cfb9f1ff3df6
SHA5126f2126f197c6e9b375a1849c016df185c45fb31868afd2dafdfc2694c2f40aec88e07dfc27f81fdfc6842d45f546e55cac9704189cc4f6966b90c30e09d5cd5a
-
Filesize
295KB
MD5764547b0930c676b0f5ed551bac991f9
SHA1f31ab3d682ab58df801e2ee6ad1c8974985e501b
SHA256a3ed9b957460f7bc096e9e9b117e32a50d3a166b0ccd47b90411cfb9f1ff3df6
SHA5126f2126f197c6e9b375a1849c016df185c45fb31868afd2dafdfc2694c2f40aec88e07dfc27f81fdfc6842d45f546e55cac9704189cc4f6966b90c30e09d5cd5a
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
336KB
MD50900e1f7a26702c8f84ee2de56033c5d
SHA1e8216623ff12086f10be7197627e262bda522361
SHA256f995723aa2af0975414b83b125f1fe9f4a36cc5551677837500a7f37cf1ae4ba
SHA512c18b08373ff86ed7c968a184b01514b1507f5b076df9a19b4146c7c93aefcdf797d0c7d25590479c00d1fc70c361636049d19c0607613b0c1e19d1a0d80aec31
-
Filesize
336KB
MD50900e1f7a26702c8f84ee2de56033c5d
SHA1e8216623ff12086f10be7197627e262bda522361
SHA256f995723aa2af0975414b83b125f1fe9f4a36cc5551677837500a7f37cf1ae4ba
SHA512c18b08373ff86ed7c968a184b01514b1507f5b076df9a19b4146c7c93aefcdf797d0c7d25590479c00d1fc70c361636049d19c0607613b0c1e19d1a0d80aec31
-
Filesize
18KB
MD5699e4d50715035f880833637234303ce
SHA1a089fa24bed3ed880e352e8ac1c7b994dae50c88
SHA256e7289f6de239105fd2553dca6eb34fa6cd612e3aef81dd24f5a6ba9b494fd557
SHA5123ef5a7bec6d957c957b20d76878b2ffa52edd99c9f08a3032872849bf432ce4d4b40820043991ebe397e29747e23650af6e041912c3ebebb524de0765ab69735
-
Filesize
18KB
MD5699e4d50715035f880833637234303ce
SHA1a089fa24bed3ed880e352e8ac1c7b994dae50c88
SHA256e7289f6de239105fd2553dca6eb34fa6cd612e3aef81dd24f5a6ba9b494fd557
SHA5123ef5a7bec6d957c957b20d76878b2ffa52edd99c9f08a3032872849bf432ce4d4b40820043991ebe397e29747e23650af6e041912c3ebebb524de0765ab69735
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
430KB
MD57eecd42ad359759986f6f0f79862bf16
SHA12b60f8e46f456af709207b805de1f90f5e3b5fc4
SHA25630499d8288a38c428dd0f99390955f1ae753210c382d58b86f29030fbdb04625
SHA512e05cba6e7b07db297d666ad908a5a7c749d2a62b511973be62cc0a812763fcdecc3c4bd2933c905831245a9d3ce64767cbf59136c5b26bee635b367c06e52597
-
Filesize
430KB
MD57eecd42ad359759986f6f0f79862bf16
SHA12b60f8e46f456af709207b805de1f90f5e3b5fc4
SHA25630499d8288a38c428dd0f99390955f1ae753210c382d58b86f29030fbdb04625
SHA512e05cba6e7b07db297d666ad908a5a7c749d2a62b511973be62cc0a812763fcdecc3c4bd2933c905831245a9d3ce64767cbf59136c5b26bee635b367c06e52597
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.6MB
MD5db2d8ad07251a98aa2e8f86ed93651ee
SHA1a14933e0c55c5b7ef6f017d4e24590b89684583f
SHA2567e3ab286683f5e4139e0cda21a5d8765a8f7cd227f5b23634f2075d1a43cf24e
SHA5126255a434623e6a5188f86f07ed32f45ba84b39b43a1fc2d45f659f0b447ecd3ddea95aaee1f0b14c9845c29a065423a2037ef7f3c70af78a257c0a984e254d90
-
Filesize
1.6MB
MD5db2d8ad07251a98aa2e8f86ed93651ee
SHA1a14933e0c55c5b7ef6f017d4e24590b89684583f
SHA2567e3ab286683f5e4139e0cda21a5d8765a8f7cd227f5b23634f2075d1a43cf24e
SHA5126255a434623e6a5188f86f07ed32f45ba84b39b43a1fc2d45f659f0b447ecd3ddea95aaee1f0b14c9845c29a065423a2037ef7f3c70af78a257c0a984e254d90
-
Filesize
16KB
MD516a7692b613c4cf7aef7e372c71ac1ab
SHA175d56c58cb7c88ee3234bb574c9a857d1ed4c2bf
SHA2569e1478c8ac757026383bd80ed6cb2d27b6633ef6036a1a86ed77da7f823142b3
SHA512e86777186d1af043419dbf0fd1e401c1d92e162c732fd623861fc0f27566789e70e105b962a4d86055a86a0ea1c426ab21d95d291ebe1598aa07dc6e9331bfcb
-
Filesize
16KB
MD516a7692b613c4cf7aef7e372c71ac1ab
SHA175d56c58cb7c88ee3234bb574c9a857d1ed4c2bf
SHA2569e1478c8ac757026383bd80ed6cb2d27b6633ef6036a1a86ed77da7f823142b3
SHA512e86777186d1af043419dbf0fd1e401c1d92e162c732fd623861fc0f27566789e70e105b962a4d86055a86a0ea1c426ab21d95d291ebe1598aa07dc6e9331bfcb
-
Filesize
1.3MB
MD5d24bb96cdcea6a52cab836a0e455c264
SHA1fda069de3a400e0a1740a456d9043d5efa833f2a
SHA2565d99acebe015e78efa258c8f3d840722c6208453849a2614cd09c56aa7d1997e
SHA5122bf0950a99fdc3181071e323c7e91e3a0c4482ae3cd9fb2a65f0236fbea59680b8c9f60597dfe6a20571ddc46d7e7a4e4b2cf296d9ed3f58392a8af879c66be4
-
Filesize
1.3MB
MD5d24bb96cdcea6a52cab836a0e455c264
SHA1fda069de3a400e0a1740a456d9043d5efa833f2a
SHA2565d99acebe015e78efa258c8f3d840722c6208453849a2614cd09c56aa7d1997e
SHA5122bf0950a99fdc3181071e323c7e91e3a0c4482ae3cd9fb2a65f0236fbea59680b8c9f60597dfe6a20571ddc46d7e7a4e4b2cf296d9ed3f58392a8af879c66be4
-
Filesize
1005KB
MD5202898b9be026d6529308ad985e71dca
SHA1a4d838e68f42e5e8d80b6e8512ecdc41eb0a6849
SHA2566589c4a4fd6491513ea172078762c2ce0f97f025fda82bf64335e7a57a0a2a32
SHA512057957b30222a662039617ac12c991aed969fe90108144f7962933640fe92fb6d0a7db92eef9702698145731a4ce61db421ed623f7f6e512326874bb58bc4797
-
Filesize
1005KB
MD5202898b9be026d6529308ad985e71dca
SHA1a4d838e68f42e5e8d80b6e8512ecdc41eb0a6849
SHA2566589c4a4fd6491513ea172078762c2ce0f97f025fda82bf64335e7a57a0a2a32
SHA512057957b30222a662039617ac12c991aed969fe90108144f7962933640fe92fb6d0a7db92eef9702698145731a4ce61db421ed623f7f6e512326874bb58bc4797
-
Filesize
880KB
MD5b47b6c1fca11be85ff10794366f33797
SHA11178d4abb701e0e70040b81ca84cfedeb0cb3f89
SHA256756e45ba13891998e44d45c70474343fb56b8a0a920b6e911fe7dec1c21adb74
SHA512734aa397fdef99319228f916aca9b8b2429da35fd59ad5421530f4c53582db6718bf6ca66c11f3a7c923f9a548f3af591cc38bbf402181c476b6cdb234b7e020
-
Filesize
880KB
MD5b47b6c1fca11be85ff10794366f33797
SHA11178d4abb701e0e70040b81ca84cfedeb0cb3f89
SHA256756e45ba13891998e44d45c70474343fb56b8a0a920b6e911fe7dec1c21adb74
SHA512734aa397fdef99319228f916aca9b8b2429da35fd59ad5421530f4c53582db6718bf6ca66c11f3a7c923f9a548f3af591cc38bbf402181c476b6cdb234b7e020
-
Filesize
816KB
MD57d962201114ce67f289cdabc1255177d
SHA103691d42ef1b9a6370493a5cedc782e9ca4f7701
SHA256589c0749fdc3d1c19187ea79e3c974b87f796a517c1113fd7a1ce0cecbc61226
SHA5121a145d136375175cdff92466a6dff4881266051c552884d349a1c71e1b89915a0be7bf1fc9b2465cb412157a7754b4eb609d66d5c920a5df8160b7a6d0b076f9
-
Filesize
816KB
MD57d962201114ce67f289cdabc1255177d
SHA103691d42ef1b9a6370493a5cedc782e9ca4f7701
SHA256589c0749fdc3d1c19187ea79e3c974b87f796a517c1113fd7a1ce0cecbc61226
SHA5121a145d136375175cdff92466a6dff4881266051c552884d349a1c71e1b89915a0be7bf1fc9b2465cb412157a7754b4eb609d66d5c920a5df8160b7a6d0b076f9
-
Filesize
950KB
MD5383156ee04dec173a5e9cdeea27ff101
SHA1757bd700d92e562d21f54a86de42fbca69fa3611
SHA25676b4faad5948afa19a80b770af40dc0ce71f9b5c2afaed160e0bad0b14d4f36a
SHA51270237c1a065267d6b535f0eae533056b96036966835503e01c867728974b4283c1cd72aebbf4d634d9b4026f3e065e35a20653571915c1f50e7cbf6ff996e33a
-
Filesize
950KB
MD5383156ee04dec173a5e9cdeea27ff101
SHA1757bd700d92e562d21f54a86de42fbca69fa3611
SHA25676b4faad5948afa19a80b770af40dc0ce71f9b5c2afaed160e0bad0b14d4f36a
SHA51270237c1a065267d6b535f0eae533056b96036966835503e01c867728974b4283c1cd72aebbf4d634d9b4026f3e065e35a20653571915c1f50e7cbf6ff996e33a
-
Filesize
582KB
MD5e8b3d6c5ca59c1d4729e27d843486ca9
SHA1021eacfd248be99884785787ab163e3b0290e6f9
SHA256c0b73192511072aafc62173c5f08da9933f8a7f477b5840bdf73fadb665562cb
SHA512577011632359a12d6dfbf6785bd13c7661146893279a8b480b5c2f72943453a46cbd06065ff50977e1cb179e0efdf2e291d3eebcb3be3a2451c989f69843fbdf
-
Filesize
582KB
MD5e8b3d6c5ca59c1d4729e27d843486ca9
SHA1021eacfd248be99884785787ab163e3b0290e6f9
SHA256c0b73192511072aafc62173c5f08da9933f8a7f477b5840bdf73fadb665562cb
SHA512577011632359a12d6dfbf6785bd13c7661146893279a8b480b5c2f72943453a46cbd06065ff50977e1cb179e0efdf2e291d3eebcb3be3a2451c989f69843fbdf
-
Filesize
1.0MB
MD534c742a42b7ee304413fa73ca8be632f
SHA16a46589cfda459fff122d0da428db6eed4033d33
SHA256b98220735077786eaf3bc1420aa51f2db1caa498fef0acd154a60b63f5e1720f
SHA5124d93cad00d44b02208975acaa21ccf3a6a4c9ddc5e877430e6b20705a4d3e8d962d5532b7632f6b103014d8e2d43643491deaea31a1b22561b10b0817a84b7db
-
Filesize
1.0MB
MD534c742a42b7ee304413fa73ca8be632f
SHA16a46589cfda459fff122d0da428db6eed4033d33
SHA256b98220735077786eaf3bc1420aa51f2db1caa498fef0acd154a60b63f5e1720f
SHA5124d93cad00d44b02208975acaa21ccf3a6a4c9ddc5e877430e6b20705a4d3e8d962d5532b7632f6b103014d8e2d43643491deaea31a1b22561b10b0817a84b7db
-
Filesize
513KB
MD5e142ffa512bcccf131c40e7619f140e0
SHA1fc4d6495f427104411a38bde0ae90022e6d50339
SHA256cf9fa90ca349badf5699f68272c8d83eb9c6c3b7f87023517f30943b44492e00
SHA512e211b2d7407d03ebcecece8d32613db62c4b6e41f1a546f56f03150ece93feea8e6a2153e98a5ed49f093ed94c74364da16f2f70281a952101d38945320b40d3
-
Filesize
513KB
MD5e142ffa512bcccf131c40e7619f140e0
SHA1fc4d6495f427104411a38bde0ae90022e6d50339
SHA256cf9fa90ca349badf5699f68272c8d83eb9c6c3b7f87023517f30943b44492e00
SHA512e211b2d7407d03ebcecece8d32613db62c4b6e41f1a546f56f03150ece93feea8e6a2153e98a5ed49f093ed94c74364da16f2f70281a952101d38945320b40d3
-
Filesize
903KB
MD5728344688bf23cc29115d685bcc2983f
SHA18f37a8a9e12893d9128a1deee8e04e03bd76dfd9
SHA2562573cfb515928206dd448955c360f26cb023b11c8fd845abc0e49cbe8e0eea22
SHA5123d20f7835bede584dcf99508145853292b6746b34c6615957670d682a6026d3f5faacb00117b02afddc9b1da060a4c78ff76a3448330b3c7a5c2181a49e9b03c
-
Filesize
903KB
MD5728344688bf23cc29115d685bcc2983f
SHA18f37a8a9e12893d9128a1deee8e04e03bd76dfd9
SHA2562573cfb515928206dd448955c360f26cb023b11c8fd845abc0e49cbe8e0eea22
SHA5123d20f7835bede584dcf99508145853292b6746b34c6615957670d682a6026d3f5faacb00117b02afddc9b1da060a4c78ff76a3448330b3c7a5c2181a49e9b03c
-
Filesize
1.1MB
MD5d1dbbad495c3072d186de1a70293a93a
SHA16b14fda9482d3c6f2008948828fdd7f2ca4fe5df
SHA256ba6affed318a27112496b79e3ea08b214136a4814bbbaadc0fc7a57507ba5030
SHA512d922161b1dacbd516b0afced0be7ecf9e6ad267b26e2e1d036fbc8be2432f47c5c2bea05c1687b2b800aaf78edd85ef239b6a5778898f6f3fdbb645c48606fe7
-
Filesize
1.1MB
MD5d1dbbad495c3072d186de1a70293a93a
SHA16b14fda9482d3c6f2008948828fdd7f2ca4fe5df
SHA256ba6affed318a27112496b79e3ea08b214136a4814bbbaadc0fc7a57507ba5030
SHA512d922161b1dacbd516b0afced0be7ecf9e6ad267b26e2e1d036fbc8be2432f47c5c2bea05c1687b2b800aaf78edd85ef239b6a5778898f6f3fdbb645c48606fe7
-
Filesize
381KB
MD5fcdc30fecd37588039c55b4df728e73e
SHA19a87289afe0972d213dc25ad6d41e2e089ac07d1
SHA256a129c4866f251eb4ef67490fa08b8a20c01d1d877295b7028934c58354d9356c
SHA51274898d60353d3ceec3a4700ebeef7ebda73d3becfc6e0dcd73bfb863191b6621cf1a4e80026b5ee18c5cf37a3e0fe143aa1c997ab7af2ad12ed7dbaa8e11e123
-
Filesize
381KB
MD5fcdc30fecd37588039c55b4df728e73e
SHA19a87289afe0972d213dc25ad6d41e2e089ac07d1
SHA256a129c4866f251eb4ef67490fa08b8a20c01d1d877295b7028934c58354d9356c
SHA51274898d60353d3ceec3a4700ebeef7ebda73d3becfc6e0dcd73bfb863191b6621cf1a4e80026b5ee18c5cf37a3e0fe143aa1c997ab7af2ad12ed7dbaa8e11e123
-
Filesize
295KB
MD5cb386ebb2a5dd1b118d1f4bc687d9f49
SHA1d5dc064b3b78343262f475da71c1d9ec14e249ae
SHA256ba29bc0ff82db7efd577c3f213d3d1a4cc181d4e1a3dd0ea66b090ecbd13cd47
SHA512bdd1289c2441c51bfa8130e2673a938d63e1bc2c6dfc16c836579154a54b93bf3e1a8d2dfee14291b40d8d0534215ee05cdee2f05d17f55b1320b3245dfc92ce
-
Filesize
295KB
MD5cb386ebb2a5dd1b118d1f4bc687d9f49
SHA1d5dc064b3b78343262f475da71c1d9ec14e249ae
SHA256ba29bc0ff82db7efd577c3f213d3d1a4cc181d4e1a3dd0ea66b090ecbd13cd47
SHA512bdd1289c2441c51bfa8130e2673a938d63e1bc2c6dfc16c836579154a54b93bf3e1a8d2dfee14291b40d8d0534215ee05cdee2f05d17f55b1320b3245dfc92ce
-
Filesize
222KB
MD5a2c4c7725608c31185ef32cff5c12739
SHA1d09d8a6c0c298d5204dfa5fe60e6b46b18641069
SHA256d54ef6c9f02f9e37468ee0a3e21a074ff8122cc2bbfcf20a13876bd8a4d47245
SHA5120ea87a85d0bd0f49ef7320cfbe9e991711765c8b315735279917d065720b3068bc25a5d93c6f980d16fd85bef04fa60db4c8bd27c83e4fcc6952fefbd0a889c8
-
Filesize
222KB
MD5a2c4c7725608c31185ef32cff5c12739
SHA1d09d8a6c0c298d5204dfa5fe60e6b46b18641069
SHA256d54ef6c9f02f9e37468ee0a3e21a074ff8122cc2bbfcf20a13876bd8a4d47245
SHA5120ea87a85d0bd0f49ef7320cfbe9e991711765c8b315735279917d065720b3068bc25a5d93c6f980d16fd85bef04fa60db4c8bd27c83e4fcc6952fefbd0a889c8
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD58395952fd7f884ddb74e81045da7a35e
SHA1f0f7f233824600f49147252374bc4cdfab3594b9
SHA256248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
360KB
-
Filesize
7.7MB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
360KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
7.7MB