Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/10/2022, 08:54
221017-ktx6kabbg8 817/10/2022, 08:29
221017-kdjcgabcdn 817/10/2022, 08:08
221017-j1pmbsbcbl 817/10/2022, 05:56
221017-gnhxxaage2 1016/10/2022, 16:18
221016-tsd6qshgc7 8Analysis
-
max time kernel
2700s -
max time network
2673s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
16/10/2022, 16:18
General
-
Target
http://we.tl/t-dIsTXRtNmc
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 10 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 43 IoCs
-
Modifies Internet Explorer settings 1 TTPs 13 IoCs
-
Modifies registry class 36 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 25 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://we.tl/t-dIsTXRtNmc1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4544 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1d0546f8,0x7ffe1d054708,0x7ffe1d0547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5872 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff663bd5460,0x7ff663bd5470,0x7ff663bd54803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7124 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7252 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6412 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6660 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17061031586741853292,534022133238301588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM slam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit2⤵
-
C:\slam_ransomware_builder\start.exeC:\slam_ransomware_builder\start.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EC9D.tmp\start.bat" C:\slam_ransomware_builder\start.exe"4⤵
-
C:\slam_ransomware_builder\slam.exeslam.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\slam_ransomware_builder\README.txt6⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpde5938257c774c13a5a1367128eb2db9.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3896.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCE12AEA9D1A64FC2B970FFA28D466694.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BE2.tmp" "c:\slam_ransomware_builder\CSC62CA73E3E9C24730A4EA10F1D139F9F3.TMP"8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c MSBuild.exe uac\ConsoleApp2.sln & mkdir %appdata%\buildfin6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe uac\ConsoleApp2.sln7⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp0f0f7865021e4a75999d101492c8bddc.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES444E.tmp" "c:\slam_ransomware_builder\uac\ConsoleApp2\obj\Debug\CSC1D2319395FA74ADAA7E4FC2BC2A65BA7.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\slam_ransomware_builder\README.txt6⤵
- Opens file in notepad (likely ransom note)
-
-
-
-
-
-
C:\slam_ransomware_builder\TEST.exe"C:\slam_ransomware_builder\TEST.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\slam_ransomware_builder\TEST1.exe"C:\slam_ransomware_builder\TEST1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
Filesize
1KB
MD5a0cf91191b2ced1da3735e8ecb6d0eda
SHA16bac79309b36de267eaeccdf648338221c4f08eb
SHA2563c7da3216b3ee21da17d40689e9db95b793c0786b23afae8af0c1238179dcd20
SHA512363488109a67ff1e8ca0410ff170913bc9fbf4bccfa231c84c06f058d5ce4bacdd47074dc5ea030859f5349a9b10d1498584df51e7f12b72d9ee44b17c56de3f
-
Filesize
503B
MD5dfe1ae8d80ebac310e8e4c5666fd130a
SHA193e89515d275915ef5b4139991ffcb2a3c6be85f
SHA256c770b3488c9ca9eb25eb889885ce63fb6b474b3bf86e86db3d6f2038860d89ca
SHA51271ab9fc7c0ccd948c8c4705a380b3dd8154e70d53865eba39709a0dd642268f3b02c284bc6f027b7c756212f9e9577b5653ef7eaaf2633141127cf09f59580b4
-
Filesize
1KB
MD514d3e72147f0f6f99aaef009711edbe2
SHA1e0f551cd79b4ba39ae8da9b26219567a683579a3
SHA256fa75d51f4ffdde230249aca4fce9c0606161f4789b9d22a07f19c2d8443e6de5
SHA51227f6a38f0005d0e180ee78fa55f60c7f303fb1df432e3f753c266990382a3f38d4fe93cc0b4f3a84f6e2a1ed6fbad64840b08582c830c6163bbfc5606ae143a8
-
Filesize
1KB
MD5d35cb93ad78a7e29785d4eb5fc25ab0e
SHA1d1c0a3b38708b84a4198989ec13f086bfb79bb56
SHA2567a16d6bd9ec044e74c7327462bd175518d199fe8fd2fe7d69ded48b6c707366c
SHA5122148ec93a665e1a899ae1ee79b01968195e4c62378afd7feb519fe53944e9f18e466e89841cb9ee33231ad3f47ff933584732222fbe97bb928e497e7a7139cd8
-
Filesize
471B
MD5cac383b34ceef336aa06639c8652ee6a
SHA1a8d44d367824651dc5626fd2b85ad6b7dd591872
SHA256b8596f7df514d0284ed6cbee8e291983c28372342e413225645df908dfd266d2
SHA512c4ab8f8fb897be2165ae34750ed392a13dafa320d73bfed45052d8c8081611d5af42fd20aa54cdb717e3fe964331cf511f19e9ecfe72eec17dfacaeaaf493995
-
Filesize
280B
MD55fada94ec59c5b97b9510ed352eae4fe
SHA150c92953754d931fd10d4789a2d3a651f042551e
SHA25671356493f95aaee7069bb3b06b02e9709a630276e702b9d0b418f9cc3817a367
SHA5124d1679a7a85fb96fd342a7a4d34f97621ae8c6214a84d8115fb9c97eff4decf59a7c4b9b192c3ad61dad7b2f2f65019495e3f61a4f2a24094ffcef3bbeb882a6
-
Filesize
1KB
MD5ffa607aaa747f1a963555210d4805f40
SHA1e559ff0c38fe9b13309a78eb4882635fe114b06b
SHA25635ccfc49462f1c7f6fbb7fc6850db794ceb085a501c5f4df07353e03a6a1de1c
SHA512b6b0ab4ecb316177b82101632889044bcc19ff237e9ea149c86f7cc805450e9de6a636c563a4898913988f523f191a342061f0a9309705ccb8d3d51068f5e5a7
-
Filesize
1KB
MD5cffb3bb22aad98d90d0869f156630add
SHA17be59bbb4a70a606da964bd3af2d96e1f5b68c3d
SHA2563d7dafcc27fe8333df20bd4398ea56b592eceea8e126298fba1ad86caacb9ea6
SHA512401c6dab268fdecfea5fa5f5a4d9c562cc1944f32098ef152d211376846f24176606454ba3e79516aa8b02bbb1b8bbd7757510d32f530942c455a5ee6e31f23b
-
Filesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
Filesize
471B
MD55f309b801fdcff49c832652cf9f67fed
SHA1f0b6a27d0995fd7fd40f23ee385f8fe1fd752c13
SHA25653663428a1b73aeee2fc68815b072ad9ced52bfd3726416aaab332c29eb3aab6
SHA512b458da021b8506ecd4c8766ca0a6f8d881317832c4d573a2d9cb1c9386dc549c8ff13cf0942fa6661574e093b92d63a6af018731f7fd4806106641b800c1caae
-
Filesize
192B
MD567f8ba91f461c86e4ddf10b1eb208520
SHA1303b34b505d7e05d4532f08c5bead3f751e553ae
SHA256c9f6d0e9c4ae3f07488dc8452c0ed71f53166660b953dd18ce13fca83b5f7dd9
SHA512164ef4d6b43c5d1a3d8808a4619f540a825e860110c530737a2fa7b7e71c18e7f0b4332c3af2e491da843c2651b4c91ca5685a398f8fe25576c64dc1f03454b0
-
Filesize
410B
MD559cabd79c6a00fae0825220eace8dfcf
SHA14edb895a5dae33ba24d48283dd20505db97e5c67
SHA2561929ada4b91ec69c483992a8cacc00d9e2ffa836517f7f90a99daea0669d4880
SHA51266bfbe20fd4d37ebb5d7835d69883835d51dc08569ea1253b10191f613f450ccb17111116d78e92931b68a2c2c381ec9ec93a2336b3322f96502bb5d070d912a
-
Filesize
552B
MD5c945601888f4ed09d6960ce92766c913
SHA12f87a0d4d58328d1c60a6549bdcc2d0d19adbdbe
SHA256a3676d88f25019175818a7c329543cc3249d6ba74d743c9f18e80e372208ca8e
SHA51249c30807af87fe78a43279d677a31c7bc09960d4a7cbf4fbe612f0a31e0512250ddd303b35b3b7d8e3c48168059d31a95cb0ff12437a70711e1b0c50a5d7cc87
-
Filesize
438B
MD55eefea67cc2bd5c761472164529e5cc1
SHA1a0484fbb242491533c1b019afbcd8c44df82a47b
SHA2562aab42836ba38b4d3e20870a51afe80f4ee0cf35c7b7c9dc15811e74c621dac9
SHA512825d67d4fede2f739a9a0c647977d618c06a54ade2a5d5b5a85e708237f7478fcd3ba089a8f0518c43470f8b959f259cb53fa710a48c29323c2f085b687ce514
-
Filesize
442B
MD520ecbc08db829c5f1f39af1b4ebf95c3
SHA1db764002406e101de64ff86a7fa0715dddba528f
SHA256bd11bee270f1cb3002aa8c82c709174126063d4adac42b8809c3e3120f5f1c9b
SHA512346a6e163a5ff020fa316964433b506bc0fff6fedb3bfbf8b903cf8550f585ff2b68efc315a865859f85c05006721b8370f98c212276b747223dbffa463be79c
-
Filesize
444B
MD5ff92113d433a01ec22e7148578d88b9b
SHA1f9053b462a2399e33519bd63bec3e276f9044eb3
SHA25649d860939a8c0e66f1924a9663c3bd41c77484d760bdcf3515ec3e922df4bf99
SHA512a0eb7f16888a7644d2a23741535203fc8919a563026b1ce57d6414b043fb7a361764d82b582ce0469be8b3ac481d7d5db93c3a6b472ab774ad77eb3890115ffe
-
Filesize
430B
MD5c7998f93075fdf97fc3047655cdc490d
SHA1db0fd29beaa3734069459bf06126b2932424c0a0
SHA25690121f371b92bddeb7378fd9b12732aee627b6163bfe19bffb05f2332c124551
SHA512ada086ebecde7aa32849cd39f3503c5282e41c561f5972b7cf51d53ffd9c56645c1223ae32479f8e7a32407c120efe48cac759f9ec9747e83e408ee09cf93c24
-
Filesize
458B
MD5f62d00e9d8d64fe4ff2519074359e503
SHA185f774eadbd94ca20420279a2ea26616e7a760f0
SHA25695cea07db2a180971ccd55eba2a8e2504d0e189d32fda8f554c3c4e2bf7a3af4
SHA512734d3bd2d11ed90a752e3338ea04db7fdb07ae89c7e52d793f219fdf8b15d643c5b354bce5c902865f1522c72fa98800f550b6d850a58ed74ea2472eb0109572
-
Filesize
432B
MD5b87e906ed1be7718eca9e198709a608a
SHA1c16afd6d4dff678ca2237688d36b73e2312e4874
SHA25625be6b0539128059c91b893be5f012b78f3f159390a52ee0c5e48d9636eff6ca
SHA51220b82e7606c084156c41bad8189071d7687e7009c0a73f1620a799e68551c847a0811239f897d7b5fbbdfaa5f59c1053346cae321e29a7f7795a295751a757ea
-
Filesize
392B
MD56c78e0f193f7d0cbd58430d7fc4aa36a
SHA195a5a628b9e0ea0b787a4831e2918b7884dbc2ff
SHA256ec52f4e5c94611107b55ef6f67659eed1d0079012c10d62240e28c9b9946c592
SHA51222118ee7016831910721bda2065e34ad9c6a9fbbc44e7c980e035d56a8464ae06e7ec5e42caf0e4528afda1ea4d6175f13e6e31ccf2a0f9c74a1032f439a7103
-
Filesize
406B
MD5bb963101431ef5282ac96abe8c6c48c3
SHA1dc9e16476c343c8df14abe2d58608bebd191aeac
SHA256de552a7e797aa569bc6bb8e0f0b2a6f6ede3715da56545a6f7c9f027128f264e
SHA512246a6e53465355e2178153b933efaf23295471912c1eea46b32df6a7e14555be52072b26ad14286f36b71c41c77f3f76d515995d382eabd6ef22e19a7c93aca9
-
Filesize
96B
MD52615bf9ed6d2e854c0602ef8fdd787df
SHA14e0682a961ee43b9ddce5b3c03c83945d7d0cc40
SHA256a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493
SHA51224ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
569B
MD56ae5c2395170e2d6d29d4f1e95e676e6
SHA1533905ab44c6c68b58212f62202549646e23f2f6
SHA256c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f
SHA512492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
556B
MD5a08e9477bcf35558054417f16a5f5617
SHA15853ada9553643a039b1b56324f0c95226179c44
SHA2567ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2
SHA5122f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
160KB
-
Filesize
5.4MB
-
Filesize
3.4MB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
1.4MB
-
Filesize
6.0MB
-
Filesize
104KB
-
Filesize
256KB
-
Filesize
272KB
-
Filesize
472KB
-
Filesize
2.0MB
-
Filesize
192KB
-
Filesize
704KB
-
Filesize
2.5MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
496KB
-
Filesize
352KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
5.6MB
-
Filesize
39.3MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
936KB
