Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe
Resource
win7-20240903-en
General
-
Target
2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe
-
Size
1.4MB
-
MD5
4827604cfabf8582e91fa1d9c083bbfc
-
SHA1
867bee787b3f510d24b22192c18d8bce07b3f52c
-
SHA256
27f43a1e604f189eaa0ad33458f7f4f1e4e2b4f315cf1e50bd70909670a7acbc
-
SHA512
e4ddeaf095b14ebe363f24d0df81ecbf803286e37387e5f82abf68a1737e18dea221b6230df438fadda86d7e094b705ce8603f2b1018acb7f52c70cc1b805851
-
SSDEEP
24576:tpEa2NFhTGuTzs7ozX0j52pMkuLoiSJVlIL29mhNq6:nEa2NjxfJ70jIpM3kiSBM29mhNq
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2488 alg.exe 2144 DiagnosticsHub.StandardCollector.Service.exe 1344 elevation_service.exe 4240 elevation_service.exe 5052 maintenanceservice.exe 2036 OSE.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f9cb5308674cc675.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe -
Modifies registry class 52 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A} 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe\"" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40} 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1} 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577} 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014806400000074000000140000003000000002001c000100000011001400040000000101000000000010001000000200340002000000000014000b000000010100000000000100000000000018000b000000010200000000000f02000000010000000102000000000005200000002002000001020000000000052000000020020000 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0" 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2144 DiagnosticsHub.StandardCollector.Service.exe 2144 DiagnosticsHub.StandardCollector.Service.exe 2144 DiagnosticsHub.StandardCollector.Service.exe 2144 DiagnosticsHub.StandardCollector.Service.exe 2144 DiagnosticsHub.StandardCollector.Service.exe 2144 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 644 Process not Found 644 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3692 2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe Token: SeDebugPrivilege 2488 alg.exe Token: SeDebugPrivilege 2488 alg.exe Token: SeDebugPrivilege 2488 alg.exe Token: SeDebugPrivilege 2144 DiagnosticsHub.StandardCollector.Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_4827604cfabf8582e91fa1d9c083bbfc_mafia.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1344
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4240
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5052
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5485ac4091278704882abdf63202a0ac9
SHA1914ebe41e94ce1d68d41c0a69ae94e0aff7d3357
SHA256fa759560d760c078cb1e0f2a7d154645b6957fb12629e3340e76f7d84adbd1d6
SHA512a573665e37f74f25bcc9d595cb8632126736180faafbd2a0626116449e0741f9c6e497d4ad75104c05afc5fd71d70f02e4e2c3ab47c935426f3c0a9b1740e242
-
Filesize
1.4MB
MD5d258deeab93e8a9f05bdd6dc0ed08b64
SHA17babc8b4955f25b840097345c472f569811cc088
SHA2566eb5453d559af94214ca0169e807f6fc3d088b7374fc505c9d8b06f16996c5bc
SHA512cc8bb1fcd83c686cb274cb1ff8aaae55b0366919550a695e0a56b1f57c60bce76578cf8abc7c82a5e0a91d5f51d7aaad8aea858bfd1c9d9487dbbc58b677a43f
-
Filesize
1.7MB
MD5d8b8eb1b431a481b5551d5c9a85df532
SHA1ef6d8e8cb50f5f14e1cf94a1fab23efd0a9f99c8
SHA256bfbe65de5876d4b5db4138e95ffcb45a9f1fe317f24fb52889b6dfc5469dcc0e
SHA512a4932f28f78269b7982c3d08b84c1cb996b6233865c34fcb436bb7d0e876e8afb28ebc84d6ebce9c37f29c2bc2e2c1b44024f22c6cd646b37e07cccc25ffbd60
-
Filesize
1.5MB
MD5d6da8bf1a8778e9e780c26b5aea5ab1a
SHA169b1971d6370bb15e7206e1ed36889f56b98536d
SHA256581091d556fe3c6ce9d13abe8cd74b9475d4f5f7fe933bbe2b811eb40bf3ddcf
SHA51205a9f986c22c11ba22318f244e248638edb4a5a887a3f497282f7d7f9298d5095716d1afbe4c040a911cd2b59c0f894716f2046c9d0f3a4cb4fb8fc8db2f767c
-
Filesize
1.2MB
MD599b4a62108d328403a2b53889f81a424
SHA1892dec7e06e429b2fbc2db5d4ef3a40d8ed09778
SHA256b85849f4c26172215ec87fecef31640e1061e1db6b1a51c5d2b73b5cd16cf099
SHA512ca02de9c1acfc2157592004acc038350dde2344654d0710cf3688a7cf77efeeaa0d3e18c3d8bdf515abdd3e2f8a96acfa749a6d2415f5d3d7b7e5dbb2addc448
-
Filesize
1.2MB
MD52c843ce91c14fc144e873e3b0cfc90df
SHA12f52db420e02e75c34d7f4525bd243455459bff5
SHA2560875583175fa785a7be4c901a5cbcfeae0d4ffad58a8753b94055d0751b719d8
SHA5128803929491795a55a52da39a7a70a2bdf31e004e07bd220dc9bc8653298dbb333aeac652fc1bd3d8b943a3c8319c31a4bd6c156cf19a7f4231430b8f4e115928
-
Filesize
1.4MB
MD52993e64a9bfa2f3961fa4a5ea879af0d
SHA1c891dd2319dbdb80503f02488ee1eaa7ece3dcc6
SHA25648618ed6e7c9dbd588b91844a8215d70a18274ac0ee7e78cb67e65867dad6064
SHA5128b890d8e5fedd0abb381edae30170e809cac40e7b175490ebf4b4c292a3b450b79adfff25a67381f6921563b868f3af1d19986cb125216d666451f0a00715fba
-
Filesize
4.6MB
MD5b3fa2f852730037cc893e05aae0384aa
SHA1fda040795ea89968f33666e50baec3f7a5138eee
SHA2560900b3c933befdacd4c30d9655d7a8946ce91b83e5588dbfa088c06e76c6ab02
SHA51297721f6eb6954e1fb50e138b4350557d2dc89cf67193a986e48cf3da37831a3c5bf4b96f1429288739b53c6a991a07e4ae901e22b0b7e6d6d4fe955a593dd9ee
-
Filesize
1.5MB
MD527c230058a49d606698ca3c349c0a2b0
SHA1ed2dbb6efbc90dd5f52ce5ee4168af03f1231afa
SHA256c70786bf490b368a01d47c8572d35d50e2262bbc1f4f8071afa813e9846e48ba
SHA51223a3dc1f6b3954b675e5f1e760f710fe4b4242b0d36d25304b659a3128469d2856ec32ec5052d0610530b9993dd7e622d75b24592e8cc8c525106b3dba8b81f4
-
Filesize
24.0MB
MD59d4ed9fc1fa7ca77523b3114963b82c3
SHA1537284969eafc5c13501830de95e9c3faa119b33
SHA256015c42685afcbdea836cac1d07bb2eec9c95e8ae8184ce25f53d6ca7c8bdff19
SHA512569b81be73d129e6962ef1da95be4673e1ca773b4818fa3cf109272102bff8e6332d6cd2d99a1bcf555c73f4bf57cad46dcaa15cdbc394029c04a7881769bd9e
-
Filesize
2.7MB
MD51bef816267cd7936b88688bcc692e56c
SHA155958de9580b4bffd84c5f7a43c1b6acf71efdd5
SHA256dc8726c41efeff12966b99ebda2b83c4a4d5b9f3e46f91f62fd11e2973e5ad2a
SHA51282f9c4f9947354cc08df3712bc8f9efa95002c249d59c41aae75e1024604f537b4496f48a4710f23f453e9e4d5d4098da02c2bf42bf05b34d207d3bfb211b9e1
-
Filesize
1.1MB
MD586ae9592bb2ad44c92b3f8bf2578edd3
SHA1ae00a4201f64bc98ad284fd16a252affa58fb42b
SHA2563eac202db8f856a75fd6e19d13618621a1682757e32d03809a6af043eedd3136
SHA512fdd1f52e37221301fb53d7093dc6ed7b2a2dc0ce7e11c60553e659b4fc3dcf3412bfe1c9fd84590f00d9908398cf04ded2acd8a980dce8e6e3a107222b65dee6
-
Filesize
1.4MB
MD53857cd6d628f55d9d9cacf87d76f4326
SHA1ee2d2ea8d6791cc8bf980d6bf2c0998a4883ba9f
SHA2567d4b6b3516e7d6f74fd2c1c7f0aa2f15013114a4487358b815884148b570cad7
SHA51251108e134ca05d6cee9c515b292ea6dd04e4bdce9b2a59ad55278f446732334cc30b7f401c21be1003a29071f29ca5de6df7f92e07f111962f98de7dac045165
-
Filesize
1.3MB
MD55388ed4dee88b8635565142f2645daa9
SHA198831daf99ddaf9435cf5198d7428b86458b0bfc
SHA2561d9d1d03d33f8ea7be2b97c8bfc7b76c90b3bc8404f9b9abe6b43ae339008492
SHA5128d87a7ce128ba6ba309b0f95b5392e730026783c8273b83501127849b0bb2cfd9551e3eba9ecdeb99db8dc4cf85c950132389b83bcd0644c2b289b355a112e89
-
Filesize
4.6MB
MD5825fd49a2c03ed85153910cb1ce47e20
SHA1136245358523b3a0cee0e8bdcc5a742a22afb542
SHA2562fdd7bf6479511aada4bbfa4c27bd40116e7c9cbc918bfa67aed6bf3180caa0a
SHA51284f1955e8b33052d5dc11b113ad40d0ca645dcf6773eb14cbf80e170799f955a9f0e1267065919cc65825dfdc8d89435c2af71828fa21ad69386db5e0ca03d7c
-
Filesize
4.6MB
MD576074d994b43d03acf16f318e5319bea
SHA1ef79bba76d17615cd2d52f3e20efec7a68b3348a
SHA2563a0a9736eb26b9769bd55c6d1cdfbf4d24e677092e413c05920b9be071676171
SHA512c2ae2165a96e6f42182150d6a9f354ee2b2466a328ca4b277dca9e6ffe421af8353208184020ab6ad285e5123c27d549200faca33a98494133a9a0dfbfdfa621
-
Filesize
1.9MB
MD54c3ef7c749f0f308e0091c1bd98a49a6
SHA1ff71e0b3149aad4d383b6aabe7b2519795a262a6
SHA256716ae57fa74784429a4c4d9af26123d5bd70d0a420be31572f944ed060a1d06e
SHA51213b016bac386b386150641926e03c956b0bd9ab6980924fedde9a363f424dddb2cefb1ca60cfc24becb39aeb1ff703c5aa0ab329d022793d7e088c9477b78c3f
-
Filesize
2.1MB
MD50da6386a0adc291a4c78336dcba2ccae
SHA119e957fff8fa239ec5d4d6a150d1a758c0ee8f80
SHA2562d42898f9cea82068d659c3d65370e8a9d17184ee1e5400889b0faa48c2bdaca
SHA51204cc6c4c38bd3b028099ed050128a6b040011e896cfd1d795a77d53b38aa61a9162080774e995fc57e53ab9973483341a763bedde0c8e2dda10ae73d1196cce0
-
Filesize
1.8MB
MD578906136556b9d9d2bcbdb7cfc4a33fc
SHA11a6bf3ac0aaa7396eeebf63159224e041dd73eb1
SHA25681d9393e06be33fa5c52ba691738526d603ce61c5e41e579ebde552e160d87f6
SHA5120bba75a5442a76a2952514ae9941dcd80c700459b49b1b22d8e64e3cfd2a45fabdc5c418f9d0ef30dacf750d8202f8b0ed4dc6d73758d9fc80ab032759ab4b14
-
Filesize
1.6MB
MD5877132357f14d171aa28f904f3fb729e
SHA160249e7b9fde8a5854973866d49d8966d05d2095
SHA25657b0fed35aa4fb5c8632fd785a3d6dcc6c412ed691bbf6c9f1795f6b87b3674e
SHA51220627f977edf170449e71399ce43a5c48db0aa2bbd375591a4583cfc9110eb8827a04b0344fd1d18147d818ad6b72c56b29c778e15f2e40a212b307d7b55afdd
-
Filesize
1.2MB
MD569e1936fe8388f889e026d6beded050d
SHA1fa59fae47551643947057fcff0da7b5e5f777350
SHA25636d93584017260e341388a06540f9e210629a055d0bcf7b117649e93526c9c61
SHA512506948fa53bdab12242498b5a655101a4497c052ecae90f61edfa149ab8ef7ae6d8dc66b33e80f9e80708ed32cdb82e290e1d4fea5663e4b6afd3925627fec75
-
Filesize
1.2MB
MD5bb0faaf5b973efd9ccf1cc29ad374509
SHA15379b244f8e6025aeb6d839e6016e904a6114562
SHA256bdc6689f010cbdd49f7df259be0d3c1146e7c3d2361bcd2bc2cf6065e236276e
SHA51240cb36af9ea1cc41ad918e851319cbccf71acfefc102b0c45c527b60f07fd87e0949740305d7dc495f11c73c5b373974bad3d9f630a35744c3766110ec925d01
-
Filesize
1.2MB
MD56333e791a9b8521d54d7d137a48c4393
SHA142d13d693857e87016881555bd5ee7855341b016
SHA256a45ea1c2c5d34c85b8d7f3b637d7f51d215f5520c7be962491d60e62c8d54ed5
SHA512f9ac101dcbfd8b497ab9f2a7447cfa9aa1f0fa56d129ebb8c5409540859819748bcc5a5d8f68c07f39298fa9b7444b07418bd0229afc6ed867a2b071da6d651c
-
Filesize
1.2MB
MD5f2088dd6bced1d530e0db3f12f74bb43
SHA11bf1939c142308034e051302b03be36fa2334990
SHA25631f5ea7181b94f6281370c3977951bdf7e80b59bc5921dea897c9480c36f6187
SHA5125cf7cf3452fb02ac41c3678524d0447a4b1fa60f347897d3e4949974a9c41a91c93aa82cb7c7aa68917723a9ed74d0d399a8d014d23977755508fbb71707f24a
-
Filesize
1.2MB
MD54b792f2e19df8f1776e6818a6869505b
SHA1c78f715bfd2b75ebd7abd89f0d7bdd4218b40eb5
SHA256459166062b68b0ca907d0ec11efebf4bdee9372a76dd42b49e697b8663e83b53
SHA512e3bb2834abf157b54c4ef11da35cc8eadcaacd6fd8d67c55c1131011afae560e0be7e8f28141c7b20fbc83586e7d074eb2377c62db913b2d79ec811211f68178
-
Filesize
1.2MB
MD5e22c56e2ec937f11976249667c324368
SHA1caaf1d0e7f5f1e44610c56c7ad15ecc926788b38
SHA25688ac83623186ecd3511b120f5d7cb98705d2b38abf22a619bc925f7d0286826a
SHA5122adff9fcb523d548a83e24948f4ab690b466762dbf9dec0e10747ccf0239c78377c70fe0f41e16d5e8f88d9c2256711277a99112a885fdf95cddee2b24cdab3d
-
Filesize
1.2MB
MD5d52c104a3161230a11ace27863b5f0cd
SHA144c1117e782efa493857f4b3bc04d2928791d216
SHA2563bbfc1d1e31ddcc5e60e15ed32d83c8abe3f1b36490d392440a0d44791fc9bab
SHA512cf991930f78886cc47bc89ddccf959facf952872915bf0370c4a0f5aa162dc02fdec8b1cecca4777ea824afaba9867cf0853b0d672dd0f66eed62e0fb405ca6d
-
Filesize
1.4MB
MD5c266c8573ee1d3fe962b0ba6c8a4ca0a
SHA10b772e648fefe4a82da03913a22576195c9048e9
SHA25626724c1b3e5418dbb90945c044b172663080ba88f84b4dec8821036131aebaf8
SHA5120d2da2d858d4f07284cf7350594e040eed01c601f3f918424f5851ea43977bc58af9c4e886634cc6068c1bdd0b42803b64ef44694ec3ee3100ac838eb21bd966
-
Filesize
1.2MB
MD5ee33d66cacf04652296edd02de06a70e
SHA1eb0e3b4cc8b707dd6182680ac607070579e178dd
SHA25698fd8c1c774bb680a15421a14af1320e96a54ebd5e5556f1785c78f95e6ca7d7
SHA51230e3140fe08213290b58c7711761c2dbc3c6573f16e4e1d5d6b0609bc3f47524df53f29498c63892605f54e6c140d196f7bcebfe0e335c8ffdebeac5ae17e921
-
Filesize
1.2MB
MD5a5833b9a3d76d629925931b446cdc01f
SHA1eb82e494dd6e01b85284cdaea06d49293b2e198c
SHA2564c0671889f0b7b5fd862f9cbcd0520fe5d85247f1be360cae0963d39b2753443
SHA5127326763837b4d868b6c5717a4ad1dddff3f8daf474f9c1f26cbe8229139e1fee8c3940befd5474504de8f660b253df33e3642370f0816afc9cf30f321e038a0b
-
Filesize
1.3MB
MD5ee627258f5ffa2de2ff3253487722962
SHA16e21b9a46d7a3a79d6d573594c7b1b3a82b8c3d4
SHA256b436ad49ca64d4378062519aa2ea5e9de5637ed4173caa1ee086f5ae345f7303
SHA51250191cd08114011ca3580601b667f79509c106ab1a5c88628f8e3b4b8a160fafd09688839303834372cb8d56c235d90433ca43d93b402160b4edbddb67041b4a
-
Filesize
1.2MB
MD511baff0e1801aeb7b56b4f863bb1006d
SHA1ec02ad1e5e89fab931b191688c9cf66361d7ac55
SHA2569285cdbb89cc7bb5a3f413444044646408ca391c0cd067eda1e98c4fb46635bd
SHA5124761828e79945d2cabfec29a9d411ac90647e9226c3d65d1cd3a16a6ffa3d143c449e67c2df5a69f05d6f9d5e8a15a33c36f0e072967ea7e7831d64ebd25a0b5
-
Filesize
1.2MB
MD5e3c8f96a0d8dc5a19d30f2daf3778e6c
SHA1d3909859ce57b24f6517cdb0820fdbf8020b6b3b
SHA256528a881c2deefd1f6f8db865fd35f594042bb2285045ee624eed83f44ec90af7
SHA512d4064d2145aa126f4f33cea9972b561d981d575ea1c5a85d7bbe7738f0dab2c22034a3debd8a9d558503fa6be36c9e7167d2c95376b2ab928851dc6bc9ca24bc
-
Filesize
1.3MB
MD530709ee142546b7291d872b5b5c6400b
SHA1be683931d9c762e6c65e0daf470e234034fb07a8
SHA2568fc9fd9f5b02eab1b59342fe56b3089256056615db924ce065829ed5729381e9
SHA5128fc520af5e96e3138bb7a96409d1bcb8cdaf3a09f1aeed2a9c447f7e7881b33ec349b62aedcfe61aa22cc9c1a16bceca8fe7ca635785e0c3b05900ce8ca6392e
-
Filesize
1.4MB
MD5ebbda667cbba308bf5254d927028de02
SHA10cad122acbded1e3760bd08264e27a0d02a42d72
SHA256612c8b26b45ca7d7ce779a1283b20ff6492527f05901f1c136cd39617e11ad9a
SHA51280e35aa94159a27bdf2f441dc5fc128a9b477d0edafcfd3e414eb657980afcdbc9a9b1d7bc3146372755668af46ec4bf68e66d0f6b607596a902ec3c6ccd1124
-
Filesize
1.6MB
MD51082b5e8d1d3d02fb5273a70e477b582
SHA119e8c9e78e2e1d436dfe2945644ee5f470520c9c
SHA25651c3bc5c97fb6ef3463b4a0b9a23be0f1267753f1737e30e99867758f0aa05c2
SHA512ea75000b8919d52d0ff6ae5039899c7bd91fe2759d4250035f1ec9ae7a953080a76605b9f88d4c864fbb997be336cc15550753eca4c00ab8f9a4392115ba18fd
-
Filesize
1.2MB
MD52862f06bfe020759df01b006973a69ed
SHA1fb05c5ab81e86dab9e816c3478044932c0e83a4d
SHA256f990bf03b968aec786cde858f2e364f84c7fc9f701c5432e677dd334f2471f96
SHA512af55d6231763b83c4febf7f67f5410fd207266d26c7c65e85d220d1547e76a099a82abfed27867222ce1d4fb5196c2f70e628a0762842453e98920c89795de20
-
Filesize
1.2MB
MD50be0e3497600531a5c13c94896c6bec6
SHA1f9acde7413a7731f7a14415ecacc7a5352f8703e
SHA25651e9abf616d4ae07ac0ee0ff601ddd73bbcde9e9ee55900a568b937f57497cad
SHA51260a0458f217d66295dace1098de15a695535423865b90f6fd715786546fb30c0e79c1757db392ef268b2a64b1d16284e2de804d03b6fc581318e8bc98ca86f0a
-
Filesize
1.2MB
MD547178475d5c55e153c07e60cacf815d9
SHA18067dda3a00caf8988f4daad29c95392ddc383ea
SHA256f4565d8d105d306e1f6205382c5f45caf058491521eaa56177726d69cba18fb9
SHA51289341805c83e8a5978e9f8011856fb8c0bfe3d4a7de58145a16b25c2fa22cf21c6d723a57d76092e65fa6ade3136f16ce4b3d4f480d0060192db786334f51e06
-
Filesize
1.2MB
MD55b61c436dbc1dd23733a67735a066813
SHA10f3b34f8444a4047c5358f51210edf5c4db6356f
SHA256c5578b11e6d292a2c6a25b67153006a48013ef7c67bfef5b830292b728b1cf65
SHA512e1c8843410aaa0f3ee26cc92b55ba1036ab1baa688a37ac35ac2d38df2582d6c43e6ec298f12fc0f103dc41d39009eba9e406ed97071aaac401aad46f25923e2
-
Filesize
1.2MB
MD52802e5d5400657d8b38d8292b20b2a90
SHA1f26d4417178fa15f1ab5ef3c5ba37d00a0828c9d
SHA256896a6152a0717402083d1c6b38de5cedc36ca5f19476a41ef01226703a0c2e18
SHA512e91278bed45fae754120db4c03b4e659de6b10b45873ebb37a864e75be8ceb7d83e870344123fa1873d107245dda57d6b2e86551b7e13d0e8f3b2b6585381557
-
Filesize
1.2MB
MD5ea5e1bf79cb51fc79b3c3674f2a016b0
SHA1f1a385678cb5e09b91fbbec2cfecdc735becb9fe
SHA2562e216eca12d335984b9c73b88717f2f140f2100af460e1c1d298cedade1a5265
SHA512006fb844b4606194049c058b9b8ed486f94585ac82851e97b76e3fad57cc40dbda71742e578fb18911f948131c3ddc65d89bf1f79b57b73ebc43d9150c35a113
-
Filesize
1.2MB
MD5293734ab748bd2c0b6c8e449bd2fb2b8
SHA11df23f7f5bc8223aef772a0744b8ce3a1176adca
SHA2560cae26d8165660291f0c8b94b3ffb2698eceec0db06e2fe1080e2cd9775e1bc2
SHA51286dc0bd30730c6e7eb37148ec23c1c965c3c6892a5019c5a2844f5a63d9a548edb090888dbb8cf26a5dafe3dbd7a13c8a4b99e11e6a12b88c8bd57cff56f2919
-
Filesize
1.2MB
MD57081132e372923bd5544b3f1f4ff181f
SHA1fd2b01132e14e72454f6c4fb9a23559a236a18e0
SHA256cfb90fe9c7c7dcfbdd3e7d0bd10ee16d27b9e572e1f729f755fbe34692cdac6a
SHA512f76891c29adcad4cb30caa6e6b86d8f8025190e3426cb6181df1ea288f031f1546787cbee5dae1b7fe5efa1a3e1f5a70f3119e63ef5c677e7c89e963ac6ab18f
-
Filesize
1.2MB
MD5230fa570dd244b494877b46b60240d19
SHA14fa9e0cddf06ca61c16ae05a82f7db78d01658b5
SHA25609588925c0faa1009ff8c96618f4562f059f4be066465cbbf52cf319cdee7ee6
SHA512a4c554bd73a491aeba725dadd62f3c23e84be76bd392d4fb96f177511eee8a22649db574f94162c8ee7e0b641cb4d66277e5cc2f4ecd099f6f34ce91d9e1deef
-
Filesize
1.2MB
MD5c1a2fc731e75bfc8ac1f8750fc0d177d
SHA17f8cb0942c39714c0bb64839c1a374fd4dc3ae51
SHA25667eafbd915c7238961f06b8619eff7b4f965d53b1cd9f7af25cc93376332b128
SHA5129bc88d3cc95ca4407e8656a491ca73fdc39d74ce02b9ad13643b311b3fe3f8bc21c4ced4adbfb1098ae8b228c6793edc553bfa238d5b511417af71cee2582952
-
Filesize
1.2MB
MD590ca4ce7256b2352e296c8f215d4402a
SHA1fab39c614c46eb1ef8460ec7432f9e46a1f16172
SHA2569f21a97eb4748153be404382b6448f2b073a88e7323972c300721afff14d3be3
SHA512b850dff38e64e6b1af98f91b67aa2427039fcc21385212b09cf2d7ed90590acc48a4eae3635168d7cdbef94ee67dd78cd9912ddc8de5929328e4a00a81b5d7ab
-
Filesize
1.2MB
MD537549de9777591f5d1522d4b8d47e29e
SHA114ce7d68e9e25636d809c09a0ec3a3d8464c3d63
SHA256c12d6e8185d1cd91b530166865369dd39233a81ca2e2bc2817f7d7dabdd69d3a
SHA51260dd2090170b8a4d0cba07499a3521474681f999c1a3e8929e0146d854ca8459ef24d6f97bc8b05265da6bb747a8c5e06d83d532e238950cecd5e0a6d6ea8efc
-
Filesize
1.2MB
MD5afc273946dfe27bd1db0788a1365f500
SHA1bc29a94acc31c7e7bd1979949688f68148d80d96
SHA25688c0c6f05f2c431dcf6bb16d67bde7f36c59b71b7f5dc4379ae6c2587f2dfa57
SHA512e281a8acc61b818371df12ab5213319a8591ea9220df998d160391e1209a9a0ef4098f2ef002b2ca279430e5911174c8a5ac1a4fde791b5d043b5cdd321d3199
-
Filesize
1.2MB
MD5eed59212cc032c40726b8453490f2fa4
SHA1fedb82d2e40340984af855aedd3ffca0a7a71b4a
SHA256191b186e8862478808de1cde8908cf83423ee5d59f46f543cdd3f737d798cdce
SHA512f1c2d547de92e8797cee0ba97fab4ddf201cd8acfbb5970d5c050a6ae587a222ca68d6585624d81aab2d950cb59a5238268b8bafadba9bee5c8f0d510ad0b524
-
Filesize
1.2MB
MD5f6f42f5d96075e4a320c559eec23cd67
SHA14d61ba9262d74f2f7c0988b60a0bc38f0f0bc5a9
SHA2561b6608586f6e8d0e50278ec0ddadd4ba7ce4fb9bbac992646f4cc7b2062d5070
SHA512b6835594b01a514b9c5d09256027bb2e1ec28e5c092499f29b2c352b1ae41b33f84cb6f94eac9366c57990882b3d9c6075bd4c19cd64de20b48cd3d09bd14749
-
Filesize
1.2MB
MD5d93a80b9dd9debf51802dc532bf0db3e
SHA16a0bc7a524f18c43e074aaa0e69347c1b141fa52
SHA2568a94ace7bc9e8517d74b88703c72ba4967ba8a7d027dd0eae6d90d5187d04d9f
SHA5127a0b206bf45048b71a1673cf5a72ea92c08e3011ec923b4b1da8b9ee20e04e0af3158c67858a74e244e0253ac38dab2fdba3f6e5a8abd127ee93c3bd8c17ffbb
-
Filesize
1.2MB
MD5df95d7d9058ff28ac5c39362c9ecdeec
SHA1f274da648617e2af759b238d3c334c0a94816e4a
SHA256ae4fda044ce79032c956bd0eb562cca9e57e69c4a7dec7d5f22780001095cb11
SHA5121124791bbfb090507c75d5874c23190d4d4bcb4a3028771d3605b128d9cfa65f2bc31480b75dfbe1df0eb44b6674587d69e1fa9b553e6a72991c9c4b4992ea72
-
Filesize
1.2MB
MD5262bd10490719851cc3c482df144246a
SHA1631d0463e978857bd503da2daa00e807f46822bd
SHA25646fe34d29f1b40343f404cde4b5aabe9d47f2e9bebc5666f6a74597d1e86eb84
SHA5121f6271fbc89f451f91a262794385bda9b291a043bb043c53bca85622894e975451e7f1bcdd705ebfd8c179221c5dd20e9d3acdc6ee41a646e4d59eccb39d2d9d
-
Filesize
1.2MB
MD588a5d1d7472e9cf439517cca326ed469
SHA1c92020de70e663084e75c90df463f15df5f3bb79
SHA25634e18f3f2b0fd1aae531329494cced3f945565320b40c35b2514bf7d036e367c
SHA5124c533f1d947a166c472c5b0c5372a732d7f3a685a1a1f62cb66698371eba3a8ba378a1c9b626af2222cd7562e6382fe05bda3eaaf6a566f495647c9976d0f10b
-
Filesize
1.2MB
MD5cd876260787fb11e8c29c02cc1de6f77
SHA13a5c8b97052b3510363f5ddfddf3d4b640f3cd59
SHA256bedf274108db204b01a37c2924c92f6b79e200b56cf9b0a63433a20701cf52c1
SHA5128c61be4bed313cf6bcf25e5486a27aa1a2c843cc7ba0726ce6b04056cb2480392d3ce52b2d53789e9c2b80d5c74e4fa441d97e9566668af7b2f1a554b12a70ff
-
Filesize
1.2MB
MD5ca71f31bbf51c19247ce740136151221
SHA18bfe9cb24e7b88a1e9c33738000949db24f4c8fa
SHA2567abea65cc7592a76ffe87c3758bbd86a4097c5f4f5fdae3da6ad17d3ba570619
SHA512f34ae183b0198678dc4a23dd23eea28255a03c6d2ec484d99b574d38182def325b193866a2842e3cf7284edf53bcaffebb88cc91ace3d4025e0d3d8497b65032
-
Filesize
1.2MB
MD519a52b0d87bbb082b0d0ef74984f831c
SHA148b3762fde9ef0e8d7418f27bca84b43db9d7b52
SHA256e0082b36a96dd9326ce0729fefcf32d3f08e3d77e8f310a785dfd39b63886201
SHA512c50516d7deed3c1a1854f235dce5c2eaf24db859e996b9ef8bca8973e959856d326242de7d2accfdd9d87d75749f90ac8c6db23c3a172307dd098e6a9392208f
-
Filesize
1.2MB
MD55e9b9a30ed426d9a89a6d11faf0c3b07
SHA10efd2c9ca60bda5519f5976fb812cce8436efc1d
SHA25633189d548b9893a213b5f0cf9c1a51791d6e44ffbca0acf5750b8b5d2c3330f9
SHA512e46ed6e156cbf3772b211883a8ae0a6a38f1ebcedfbc0a683634cd7c5d7b5251c4b850a3c1041b00f9d91aed44cd06f37c3aa947dd5d61751cdb27b8541b3d07
-
Filesize
1.3MB
MD50e26da1471ac9c61d131b36775a8401f
SHA1231b8947db47c69b8e08d0636166a20156af5054
SHA25697bbce105bd38196e7d575601d15410ade03db572709fe7511a9419290f705b1
SHA5127814c5480c91d151b4b9bb65b2218e94e18b2b574f3da8d06bcda65c1fe74aefdb21325610b3884cff160fc24e8bdbe86f1f8e942f2459dfc428bb0661c11905
-
Filesize
1.3MB
MD5b024eb4d2e944e9800c0b7b24e90d19c
SHA15adf4307e45bcf9cf534f773916c31c829cc0a62
SHA256a54629b14a18343e4a5812a019774e5fe2db4001ec7bfe3af6b3dc98d0f6aa8a
SHA5123765fd2377bd09bd509b489d8d4407d7ce78c509c16fb8ff5c0220fd60fed7eba3030b7a425f3abf3cbae5324e80a9073dbaeb6ab4656adeb3f52f6c9133c28d
-
Filesize
1.3MB
MD535f7276acc97ab9473867bb47d157676
SHA1d5617ded2737c4780072f9a1bfc67bf84173f881
SHA256a79a93cf98e35133e960d16eedbd7c71afb9571c786ec03c037df03363fc0b79
SHA512ae80848b1c99cfb08154fa48e566e1fe8645c2d34f64979d790ee9a1f93f497c6812f915a9cc7533130a61f9c114dbd2e1352c574380b65b8e900dbdb88fc83b
-
Filesize
1.3MB
MD5747bbee07efd356f6d30c1cd92b43088
SHA1503d289774c62325baeb89c517b228698719dbb8
SHA256b36a409efece478b15d4fc18b553098f6ac9ba36f28b32e6e637a4e5cbafa218
SHA51209162f5e8ef9bee03f927cacc72850a856ad3e826ad3b581e66d0b7a7df37621a5d3fbe35973cae3d25fa2b101c921e65b03ece109bf26e6254eda014b61a222