Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
Resource
win10v2004-20231222-en
General
-
Target
5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe
-
Size
1.8MB
-
MD5
5aef42cb1a86816dfd2146d7d0225797
-
SHA1
2a9554d3f2d8d9fe81c07007f05a231c5db3c3c9
-
SHA256
5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d
-
SHA512
54f8387bf1575db90b0fe21c69fbde62b29fc5f1a37be19a04ea849f02713365742ce257be99720f630c94001280c0c7b33fa891b0b5cc2941fdd18ce65841dc
-
SSDEEP
49152:OKJ0WR7AFPyyiSruXKpk3WFDL9zxnSmJvMf+swLH:OKlBAFPydSS6W6X9lnzqWswr
Malware Config
Signatures
-
Executes dropped EXE 36 IoCs
pid Process 468 Process not Found 2144 alg.exe 2508 aspnet_state.exe 1632 mscorsvw.exe 2156 mscorsvw.exe 2200 mscorsvw.exe 1172 elevation_service.exe 1776 GROOVE.EXE 1484 maintenanceservice.exe 944 OSE.EXE 2528 OSPPSVC.EXE 2968 mscorsvw.exe 1728 mscorsvw.exe 2440 mscorsvw.exe 900 mscorsvw.exe 1684 mscorsvw.exe 1968 mscorsvw.exe 2600 mscorsvw.exe 592 mscorsvw.exe 2656 mscorsvw.exe 1944 mscorsvw.exe 2044 mscorsvw.exe 2312 mscorsvw.exe 440 mscorsvw.exe 1104 mscorsvw.exe 1756 mscorsvw.exe 2772 mscorsvw.exe 1684 mscorsvw.exe 1164 mscorsvw.exe 2372 mscorsvw.exe 2516 mscorsvw.exe 896 mscorsvw.exe 2880 mscorsvw.exe 2060 mscorsvw.exe 1212 mscorsvw.exe 2312 mscorsvw.exe -
Loads dropped DLL 1 IoCs
pid Process 468 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\480a74983db14c9a.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\GoogleCrashHandler64.exe 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\psuser_64.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_th.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_ro.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUT61D0.tmp 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_kn.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_ko.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_am.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_vi.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM61CF.tmp\goopdateres_fr.dll 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe mscorsvw.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2004 5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe Token: SeShutdownPrivilege 2156 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2156 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2156 mscorsvw.exe Token: SeShutdownPrivilege 2156 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeDebugPrivilege 2144 alg.exe Token: SeShutdownPrivilege 2156 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeDebugPrivilege 2156 mscorsvw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2968 2156 mscorsvw.exe 40 PID 2156 wrote to memory of 2968 2156 mscorsvw.exe 40 PID 2156 wrote to memory of 2968 2156 mscorsvw.exe 40 PID 2156 wrote to memory of 2968 2156 mscorsvw.exe 40 PID 2156 wrote to memory of 1728 2156 mscorsvw.exe 41 PID 2156 wrote to memory of 1728 2156 mscorsvw.exe 41 PID 2156 wrote to memory of 1728 2156 mscorsvw.exe 41 PID 2156 wrote to memory of 1728 2156 mscorsvw.exe 41 PID 2156 wrote to memory of 2440 2156 mscorsvw.exe 42 PID 2156 wrote to memory of 2440 2156 mscorsvw.exe 42 PID 2156 wrote to memory of 2440 2156 mscorsvw.exe 42 PID 2156 wrote to memory of 2440 2156 mscorsvw.exe 42 PID 2156 wrote to memory of 900 2156 mscorsvw.exe 43 PID 2156 wrote to memory of 900 2156 mscorsvw.exe 43 PID 2156 wrote to memory of 900 2156 mscorsvw.exe 43 PID 2156 wrote to memory of 900 2156 mscorsvw.exe 43 PID 2156 wrote to memory of 1684 2156 mscorsvw.exe 44 PID 2156 wrote to memory of 1684 2156 mscorsvw.exe 44 PID 2156 wrote to memory of 1684 2156 mscorsvw.exe 44 PID 2156 wrote to memory of 1684 2156 mscorsvw.exe 44 PID 2156 wrote to memory of 1968 2156 mscorsvw.exe 45 PID 2156 wrote to memory of 1968 2156 mscorsvw.exe 45 PID 2156 wrote to memory of 1968 2156 mscorsvw.exe 45 PID 2156 wrote to memory of 1968 2156 mscorsvw.exe 45 PID 2156 wrote to memory of 2600 2156 mscorsvw.exe 46 PID 2156 wrote to memory of 2600 2156 mscorsvw.exe 46 PID 2156 wrote to memory of 2600 2156 mscorsvw.exe 46 PID 2156 wrote to memory of 2600 2156 mscorsvw.exe 46 PID 2156 wrote to memory of 592 2156 mscorsvw.exe 47 PID 2156 wrote to memory of 592 2156 mscorsvw.exe 47 PID 2156 wrote to memory of 592 2156 mscorsvw.exe 47 PID 2156 wrote to memory of 592 2156 mscorsvw.exe 47 PID 2156 wrote to memory of 2656 2156 mscorsvw.exe 48 PID 2156 wrote to memory of 2656 2156 mscorsvw.exe 48 PID 2156 wrote to memory of 2656 2156 mscorsvw.exe 48 PID 2156 wrote to memory of 2656 2156 mscorsvw.exe 48 PID 2156 wrote to memory of 1944 2156 mscorsvw.exe 49 PID 2156 wrote to memory of 1944 2156 mscorsvw.exe 49 PID 2156 wrote to memory of 1944 2156 mscorsvw.exe 49 PID 2156 wrote to memory of 1944 2156 mscorsvw.exe 49 PID 2156 wrote to memory of 2044 2156 mscorsvw.exe 50 PID 2156 wrote to memory of 2044 2156 mscorsvw.exe 50 PID 2156 wrote to memory of 2044 2156 mscorsvw.exe 50 PID 2156 wrote to memory of 2044 2156 mscorsvw.exe 50 PID 2156 wrote to memory of 2312 2156 mscorsvw.exe 51 PID 2156 wrote to memory of 2312 2156 mscorsvw.exe 51 PID 2156 wrote to memory of 2312 2156 mscorsvw.exe 51 PID 2156 wrote to memory of 2312 2156 mscorsvw.exe 51 PID 2156 wrote to memory of 440 2156 mscorsvw.exe 52 PID 2156 wrote to memory of 440 2156 mscorsvw.exe 52 PID 2156 wrote to memory of 440 2156 mscorsvw.exe 52 PID 2156 wrote to memory of 440 2156 mscorsvw.exe 52 PID 2156 wrote to memory of 1104 2156 mscorsvw.exe 53 PID 2156 wrote to memory of 1104 2156 mscorsvw.exe 53 PID 2156 wrote to memory of 1104 2156 mscorsvw.exe 53 PID 2156 wrote to memory of 1104 2156 mscorsvw.exe 53 PID 2156 wrote to memory of 1756 2156 mscorsvw.exe 54 PID 2156 wrote to memory of 1756 2156 mscorsvw.exe 54 PID 2156 wrote to memory of 1756 2156 mscorsvw.exe 54 PID 2156 wrote to memory of 1756 2156 mscorsvw.exe 54 PID 2156 wrote to memory of 2772 2156 mscorsvw.exe 55 PID 2156 wrote to memory of 2772 2156 mscorsvw.exe 55 PID 2156 wrote to memory of 2772 2156 mscorsvw.exe 55 PID 2156 wrote to memory of 2772 2156 mscorsvw.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe"C:\Users\Admin\AppData\Local\Temp\5e89670006fdfd115160c1bf86f9698ccd7172e6b46d21962d5347bc90a4de5d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2508
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1632
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 274 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 280 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 298 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 29c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 298 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 1dc -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 258 -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2ac -NGENProcess 29c -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2b0 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1172
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1776
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1484
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:944
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59a78a5da44ab92ae4aef5d1abc5af06d
SHA149dc0e1f9c3fde555420beefafaa02609fdae905
SHA256320a241e8320b237dbb53bc6aef4420fe265c81cc4dffcb5052764920a3ac0b8
SHA5121605d8471913ee06bf12c22e77fa2ac760a9248b5bf71aa5fb96579fb231a3f6fd086dbea10b0e5fd40a52576c4b2b5fdce8015058f967df0c255d61c8432063
-
Filesize
1.6MB
MD56f17483b5c2bb1d91738beaf89497baf
SHA17d6d29a4833791200c20d4d54a104efd51a2ae97
SHA2569d572beefd07a1ab54dcc374574ace15176149f92d11f23e5f67cc67ec5a6b38
SHA512bd56ba919282f74a9ae49b46609dcec9df9ab77b10414cf6467e582e6afcdebf6b3440551a9d135b689b690c8941d307eda88d2c51d80af23609a67c439d0b66
-
Filesize
1.3MB
MD58bdb96801360975efd7bbd8b55c64b95
SHA15ff037bb2457138c3fc1134d0daf11a3ff381e05
SHA25638860eacaf0daa1df496749e395c8bfd1c9ea130ce7f293fa4dd068c3c92a1af
SHA512e1e2b0ee2cc6cac0d4b142f25c9ce1b14f19d1c060f1621cea612cbd9ce4f941df0aa4040d9904c43e32f1cb18419ddf73e54873172c77089263fa636f7f9445
-
Filesize
1.6MB
MD5a80eee393e429d0d09710311ea7c08ec
SHA16c2eb05f211d973edc543ed3283da92fcddad429
SHA25603d032e0ae23546df61fc1c1ad6cbd74bea3f7649040ee6f13fe756d19984f96
SHA51235045ec4202e3c17a85b9ccd69e8c217f13729e247a54107ee659956bd17219ca12c4ee5b3ddee93b2d96f4ca65d6ad3a6279e2928879360198eebd56c59d608
-
Filesize
1.3MB
MD59807b784ec612ef577ba2ee0eacf6dfa
SHA17e57261626a9032a4378e1427936c380b10d773b
SHA2565ae06fa2e77f0c2abe2ae567e5a4e5fdd03e6141b3c0730d6b6ebc1018f92f05
SHA5123e332963de780e18ce5b04a5a9b3509caf6e6d18cab22e7abe3f431b3ee5bc2ae16965e13426db73d9ee48d77a1d2b03f83f03d4a486c55fc8d9618498d1a8e3
-
Filesize
30.1MB
MD5713cda64698169754ba8d8fe46c49501
SHA1014045fc250aee60902f020c1e01f514a49dcd30
SHA256b399614c83e81185ad52402a96b8925d2ef483c04b6ab60c209c5b503c88ed13
SHA5127549696fc74f028e15cd32a620030a8a93a18ea4305b1d94cc4cc30c8d0e11f38891bc9235a15c813a5f4e15e8dde8b3390a7dce06333cf70c5162533f36f274
-
Filesize
1.4MB
MD5466070277030479a97f7097e8939d50e
SHA1bf57610f6c65bccd07230929d05eb47c985fd15b
SHA25673cd94ed1bfa21fbd1ec1356dd2d2c7278930b9b5bc3c98850dca156ccc00927
SHA5124e4eb440537fc97e056057883d4234518daccd311989f2d093a501ed60757b38070cfeeffb202091869a4e765dd37d0805f3cba84856a2962df4496411b28662
-
Filesize
1.3MB
MD5811991ce68fd9989906337a97bc8523d
SHA17783fa3a4346ceed11eab19afa05e40e234a32bd
SHA256344d7198ea5262e9ace03e6e80dfab0edf2f2634f632f79a6bf19feb89e43c89
SHA512a5008b5b32ad536be411eac73967fe7aed6cfa6a4ffa8f6e6e23454fd31fd6861b1be09d55da80698ac050e7583ba99c6c3b2d6b0706f28398794ada220f7e58
-
Filesize
1.1MB
MD5c903097cf8970a2a0e8d771b15ebc3bd
SHA14c254072d4265f653f80f8d293d06997ed8ca807
SHA25650883d01770b84442f0225d6aaf874ebcb655e9012f26ab2ededb921c52c9757
SHA512596a3892a4c178b84ab0863e68376ee3a8c7c9f760947418531e39b3606397537d4e9e8b088d138088ffcc0517440e844d3bc96414bf5ce9666688bc50e9a3e9
-
Filesize
1.1MB
MD5932ed7c0130e4fb63c880a80ec22ea33
SHA1d4110b9b8e5595d5e2eacb6db6a62d0a020ac962
SHA2568e09f0ab133b3098ccb79fd0d413e539d1ded7457e3c7cfb6cbd4bc303ea6dee
SHA512231f7abe92775f65bb0c2e143787a16511d96bdc2043560ba2694c3f38c97ebb5992b9a23c4a0783a8e86932e56639de205a2890a026a118ca24680b7ea2acf4
-
Filesize
384KB
MD556ab814ecef4f1d22509150150349abd
SHA12b6ce233b51e142b1f3d6661edc888d12f4dc124
SHA25635acbfdc1ccc27b3077310bfa80a1a21f94722fd7f6d278e0ff1ebe40681b1cc
SHA512dec648018318c7ff0b33d79aa994da57843e27ac422b05046507e8c1c33f68df2143a6133affe5331d9590bc02095f3643781fb44e8acf29032105d81d40ae71
-
Filesize
3.1MB
MD5c9270503d44f3930fe772274f518c3b4
SHA17cb7cdcc2573d34d19442fcd3d15f90423b23b36
SHA256942e75b98ff75e8c547a51ddec8f6d6c2e2cb5415d4612430606edead1711fbf
SHA512b5253660403a0724e40ef917213a4d136aaf8bf1ee9d5b68fc3f514d3d192f696fb21da1db158e026920240d9abaeaf9a867b3fa7d03b106699bbdf651a78ad3
-
Filesize
832KB
MD5187711d9d45f6eedd1583a856baaebea
SHA1b9be8836fff5d5926877edf1f27dc427dda2059a
SHA256374c881044371902ca463fbc59b646581fc195bd072dabd53eb15c057870f968
SHA512a8467ec31b6238486cf61e3967b81ee36558c977cd2bb962a2bc07c130096b0c0271697fb44e3389c857a8378855ae2e3e22dcb9ab50b4a0f2e4c95be98aff15
-
Filesize
768KB
MD580dadab50d225405619b563cb9f1857b
SHA19898f7278921d6e52b8cbce4a0455620fbc6492a
SHA2561c8a8de5c2d93ee32fe60decc3ae96cdcbc3f898121180e3a2eb452353b1a7bd
SHA512d189845b0130a894e17a167a036f265684bd3bd3a07890503efa5e3ba741e23842e06880ad13868a0db9ca65afc006bb4a26ae80a0be6862abf2a3aa2baf89f0
-
Filesize
896KB
MD52ca5e16fa591713773b9d0c65e948745
SHA142276cf37bab9c5c19a7f18db5ab79377fdadfed
SHA256b96d9b054a954b80c2fa74ec8078804c53df8a6e7676ed36cd8f3817d80099b1
SHA512a99f52472ec00834287281aa91b7b0db504ed36f33156666347fe04313416748188e7860f1dc38a2a37bc291e3ecb9b90b6db30adebcd69c61234eeb9ad34321
-
Filesize
2.1MB
MD5979a643bd62a044bf9c53ac6c0d92911
SHA15313861d8162f6b07fa13fc530478fc39c99b71f
SHA25640a6bc33dec6dd3f88a816c154ec2ef772a12752beee6f474ec06c119f4e9a73
SHA512a49ebc8ae435011772162c2d2f884659e9e65b22503a67faf1b754a1e3ef4e6256dfcf6bc80883222f88459b9df17b05d10b3751d5a8ab2e215cd1cdbd0ab83a
-
Filesize
768KB
MD560e2856a2d2a03017e19e2fff54a363d
SHA1e862efe626db07fd4802dfbb522925f83861b4c4
SHA2560728aaaff7d39863d474a415bc185fc2c0945ff0fed5e8497cea7b1051375065
SHA5125f24f6d9a553b8b0fe4e563d9fd5ae7123fbd3159c8525be680e41a636c90cdd7120a8476970749232c69260de83c63d1f02d208ea4303c0b56d2e9dfe610732
-
Filesize
704KB
MD5886d701729f945338cbe3fecb7b739b6
SHA1585cb1d955fe50387d2b0b886648aeb18619a3cb
SHA2564a7178189f9568d3f4d395904a20ab56342567d73ba84db8c915a4f01aa40298
SHA51279464e07e5988c2515c2cd878e5c4d4356eb654c01c10c444f71a481440162eeebaec2f976e149e534d6e75fe583240c7cf2adc03e93b3bd8afbb2179a32c9dc
-
Filesize
576KB
MD5086793d5b1e089447ce4f3229c87c223
SHA170edd43eadfb6dd2db194336766e641bdaccf674
SHA256633d809314873c3d83c7e04449a5d0c1bf82d0105065e5e3f4eb9e62cd033cb2
SHA51227c910df810335e20e378de6c7ee241ab81233c5fbecd1bf29aa5fb3260321e076a3b2bbe43d54ebaaffed4dcc89aebb0ac72e36a2c5b9b892f275d95ee37b92
-
Filesize
576KB
MD54ac3b46f7cc28562a5237be71185b448
SHA1e5243b2de7ed377aa8228260c3288c7ded4f3d08
SHA256cea60969714356e9b2c54154c8c642c65e7c15d3a6ef6e917918d8d0ff344038
SHA512bddb57b90a98a79417203efaeafcfa8c9ea0fbc93197194cd6b82a2bad6f34a509e48799782b9a077ef5774f51030b7c7a6e19ad8e6eddde511013fed1e19d2e
-
Filesize
512KB
MD57a365e2849972e69eaaa571c0a7ebc79
SHA1e27661eb9b69741f0f097677220fa7b19cbeeda3
SHA25669763da3c4599c05f818d9b3165553ce4ffac12aac9339a7846206c18b3e00eb
SHA51268574d14ce21fe4a9cb85bc68f3a2d26a20c7a756d0e2d3f8594e518afe91441420eefe7501601607682710e4f2ab8243bd0f6de0fcfa555bffd3204c0c47863
-
Filesize
448KB
MD59bd07ba493b88b2d494785303c2fc259
SHA128231ac3448fb498d256d435fec8ed71bd1fbd8e
SHA256e12dded73ffa4e74355cfea92058c4344df0a7e9423a6460e48c501632546e54
SHA512d1ca7304328a47f53bfcb4e8d68988c49c3d670b606ea6149d7f870ecfc194550db2ff4b97c30225c0bc552e59daae835dadd3ac11e20e59d49affb9b7227090
-
Filesize
384KB
MD50219abf4759443b6a6d863ff3d3cdd91
SHA1fd66697e9683de1d947266edd0de88cc0b50ba2b
SHA2566ea38aa8a2cd5c5de0a602497eb4124db39ed44f556ff66d70df801208d702ac
SHA512ddfc736fdabd9097174043e4229224b4158f8405dac24a8ec106d8189e2424b73b8f636902e5d4d0fbdd520ebe7b2673fa477456c731c2cd29f5ca723ba0c304
-
Filesize
384KB
MD5b6b0eb1b29727dc6a0a6b75f1f6096ce
SHA193a5a56c8bac41e9bd73f16ab3948d208afe3797
SHA25602c7807fd2a60022e9ab3b78cf5448c99761945c4bfdcf06ce1a09b5b91b3439
SHA512e9f221c2860dd753b8e8a6923bcd9e4d31d7050c0ab9e7f1b6e7a857ba5171e89b39adf9b757507e59426536c85caf3c84ca8dd20d99af687615d2ce39ace084
-
Filesize
384KB
MD56b018474690f4abec1ba2fbb53bc85aa
SHA18c41622b342a379cb85a773dcfb02c14237e6810
SHA25657fb24ea0ab2bf8cc13778a91b762f5066af52363b88b5a4df3119205542c987
SHA5120e0863347f3060e1c8e5d60981c196a3b4e3c3df479cc5cb18093550b7d9d6def86f1125d70fd4030a72a9fb019566682756d256d2feeae9c654f5efbb7b314d
-
Filesize
320KB
MD58503900297f05ca57b182e7454b24be6
SHA13cd7569aa90a5bd7091cfe6769db0f56d43da9a7
SHA256a8e4db78f7bc779b968a24d4dec3c21c345be517766642313b84f0fc67df30a9
SHA512f2cc169e695492f2aee0f1f9d80c51863fafc5cef8c4097efd80aec15ccc89d1a39f745c1b1b0db4f3adce182738f8ba0561080a690b1615b085f54630c4972f
-
Filesize
256KB
MD520d1ae260116816a323c1492dd1ca94f
SHA1ef141a032d84bc63be355a1995851ced565644a6
SHA25648085f123cbae69af98c59079cac4d7f2fbe63ac5a6fa136c8fb95549d89058c
SHA5122223d03ff2d74f1fca2de0668ee4df61c5ac028e67b1f5bce51bc53ad67ebaa53c19e9445a51eb11a89fa52c11c648ff2159fcf103e6356106e5783c177fb215
-
Filesize
192KB
MD5c49ee9654bfd73d9ebfd53c7c3e0f0f8
SHA1991e4073a1a1a8068b87aace6b707229da530c5a
SHA2564a231e137237407c207e25c13d5cd094e85815902423bc73f9b1509e89f8865a
SHA512e9bdf43873ed6768faf1e096d5504cd72fc9a03af3fcb95a2c1db95a7be2860e256293080fde122430771abb92b8cf8e20831c4d431248caedbe0944c5a82364
-
Filesize
1.2MB
MD5b1a7782a23f7b657ac6782544a330906
SHA1a4bb89f8c9f69c032ac74c7fc35f06f460bf5911
SHA25647b38fb7af4e3164ad96e4941915e26f61bd049d2b0e864c77c9fa74251597fd
SHA512343d9989655dbafb4de7ba8456de89cb1a98258231d82e4813379c11a638067fb5f8fb93aae2f324a355905839f3742856a55d0db64b0df929ee5dfc09a31982
-
Filesize
1.3MB
MD5fe7ab027724653a1a1643ef3754bed30
SHA14369742a11478857a13f6b2d667008cfa3990b8f
SHA256a2786419de9facf108792e16a8d96a175f782f793bd2b67d1157dacf4f49e36a
SHA5120e3ab7d178b581ebf3877ed27ccb01f114a00dc5c596bcb56827fa34eb682fd1a87c77df61c9bf1040c7e400ca4e6ad0a0379808e56c8fcbd3d0d690b7d46467
-
Filesize
1.2MB
MD5d251d5e01bb1fcfcc6461fc6c21efc46
SHA194f0914380be324f74aa69ca5534659aaebae862
SHA256db832d9f790681f0a81a40d40a8c8f794ffbc897046c71b2e28db255956c792f
SHA512872945ab4e15a79413b6007ade3fb9b009be005a1d9f90ccb9d93014bb5bfdaa75c92dc148cddaf4fd5c6b7dfe35616df5d697cc16dd7be29f374c9e86dbe623
-
Filesize
1.3MB
MD5e304fc1007721067ecd06dd4facc6b89
SHA1a73697188f72fb34cda9e8f738be899e96a957b5
SHA256d7a4b847858ec8ea7c2cba4ad47623c23cf15500cb9c703a207e4c40fbc3161b
SHA512f2948c5101401fa49f1c733a8084ceaf4a878a028f9b2135044658b321167cb98fb794d761a91fe48f6bbe477beb6c57b0f4353289003432d0cdcb894811ada1
-
Filesize
832KB
MD59056239c8101f82ee71fa2d3b74f462e
SHA1d91806d422051e6de2db19c1be121b813361f240
SHA256e968ba4d5a604eeae79f4c028a4ae0ea8d10f19f00df4bd2a9018ca9012349e0
SHA512d6d94558496b313aca440cdbda4e2a2652953f19e104da02c7492c763148be2a189f66f03b1c02c09c1dfc1d2288eb2753e5999df22956f891901c1456cfd4b6
-
Filesize
64KB
MD5a16d1c6119ba9a4d1c9b8e9231ebbf3e
SHA1a769fb97ef99885c3c8627eba047aaa82cc4849b
SHA2564c605155be0fd918a780c183093b2f7ab67f56c56fe8feba72fddb31e9690226
SHA512f65d4de45f99153e4d553f98dd652888f6dc2f9cd8fb9689fc78a4f313ab8d421134a9577f15d2fa161866016a165103bed6f76973ffb51ec3e12a584b4609c2
-
Filesize
256KB
MD55ffb74e357d17d2fef711df6a8f014d2
SHA16800a318999f0804f1c4c2be4c090b2e4e60d0de
SHA2564cabb00028ea96f2ed85a8794f7d3fd080965f213cbf6c64a825a48067235ec3
SHA5129d158760b2121782cbe1204a9db532c2a097c7b3a0e9d2519b76316adc3431b73f8bcb869f08afefd19b318d6e65f778266121b201b4541f3c0f6d355d8413c3
-
Filesize
1.3MB
MD5b377549adb7d39388457a028f9d616c7
SHA1ad7fee7fb222c18826803ca6b4be0b28aff7fac6
SHA256e7e2b9f197cebb262c49036ef0be8c8b59304f209fcb8b9973a4326a135626b4
SHA5129aed9c67283ca227722d6946856d66aaa75fc57362fa79b43f92052cb8272f738f329c5139f1db7a271db902474806e45b5e681ba08042f28812d14abf3fc4f3