Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 10:41
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
d43643e01d59c289b551c240242ea5cd
-
SHA1
aa17e80aac2ca4e14297b0a7cf29c85b116882c6
-
SHA256
e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
-
SHA512
4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd
-
SSDEEP
768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
japanese-cross.gl.at.ply.gg:16828
ac168fa7329a1bbe164c59a113cb4d71
-
reg_key
ac168fa7329a1bbe164c59a113cb4d71
-
splitter
|'|'|
Signatures
-
Njrat family
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2168 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2508 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2124 Server.exe 2124 Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWERPNT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWERPNT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWERPNT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main helppane.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2136 POWERPNT.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2508 server.exe 2136 POWERPNT.EXE -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: SeTakeOwnershipPrivilege 984 helppane.exe Token: SeTakeOwnershipPrivilege 984 helppane.exe Token: SeTakeOwnershipPrivilege 984 helppane.exe Token: SeTakeOwnershipPrivilege 984 helppane.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe Token: 33 2508 server.exe Token: SeIncBasePriorityPrivilege 2508 server.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2508 server.exe 2508 server.exe 2508 server.exe 2508 server.exe 984 helppane.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 984 helppane.exe 984 helppane.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2508 2124 Server.exe 30 PID 2124 wrote to memory of 2508 2124 Server.exe 30 PID 2124 wrote to memory of 2508 2124 Server.exe 30 PID 2124 wrote to memory of 2508 2124 Server.exe 30 PID 2508 wrote to memory of 2168 2508 server.exe 31 PID 2508 wrote to memory of 2168 2508 server.exe 31 PID 2508 wrote to memory of 2168 2508 server.exe 31 PID 2508 wrote to memory of 2168 2508 server.exe 31 PID 2508 wrote to memory of 1544 2508 server.exe 38 PID 2508 wrote to memory of 1544 2508 server.exe 38 PID 2508 wrote to memory of 1544 2508 server.exe 38 PID 2508 wrote to memory of 1544 2508 server.exe 38 PID 2508 wrote to memory of 344 2508 server.exe 39 PID 2508 wrote to memory of 344 2508 server.exe 39 PID 2508 wrote to memory of 344 2508 server.exe 39 PID 2508 wrote to memory of 344 2508 server.exe 39 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2372 2508 server.exe 40 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2160 2508 server.exe 42 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2080 2508 server.exe 43 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2180 2508 server.exe 44 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2508 wrote to memory of 2136 2508 server.exe 45 PID 2136 wrote to memory of 2732 2136 POWERPNT.EXE 46 PID 2136 wrote to memory of 2732 2136 POWERPNT.EXE 46 PID 2136 wrote to memory of 2732 2136 POWERPNT.EXE 46 PID 2136 wrote to memory of 2732 2136 POWERPNT.EXE 46 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47 PID 2508 wrote to memory of 2632 2508 server.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp3⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp3⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp3⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.hlp3⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:2732
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"3⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt"3⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:808
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:760
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1888
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2640
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:1088
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:984
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113B
MD567eeaff7e51df1ae135bcb3c656e2aeb
SHA171ee5f857e5a1c11206718d910f57556e79bec47
SHA256fa2c12bec4a6d8b945e3d85961e1a7a26858623c6d2318ae843f4b867bbbf499
SHA5121570bd5338476984ffec39211d64bf8c3bb89435b68c15cf0d06335f4eab4f0bb702ea234535c7d3e0e4ee4bce0b34d01d448816bba1b1f9e53d808336d24faa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_C03C740CA12142E48E933E56E5FB68C8.dat
Filesize940B
MD55c9c29cc2b1de9ea350d469190a4a4db
SHA185f4ceacbe2675d447e98eb1b998b01e921117e9
SHA256633f3a8b47f13e502a4f90234bd0e5d4c271cbb9524f212648c8ab45d95279a0
SHA512c38c5f99dc884a4458ccd229f90970a740fcfe87f6f335c2dc400e37e82a31c7d6509cb3446deadc736e4079a17ddb9e6c69b7ca35cad3a386023acbfc05d844
-
Filesize
19B
MD553b9f8d6b89885849f2082ed155df5b0
SHA19698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e
SHA256c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488
SHA512dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f
-
Filesize
5B
MD5a65a8cc18c0fdcac3b78ed8f032e2f98
SHA19087f7aaf4edf3b132348b1e5dfa7a678d57d40e
SHA256ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a
SHA5128e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d
-
Filesize
93KB
MD5d43643e01d59c289b551c240242ea5cd
SHA1aa17e80aac2ca4e14297b0a7cf29c85b116882c6
SHA256e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
SHA5124143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd