Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/10/2022, 08:54
221017-ktx6kabbg8 817/10/2022, 08:29
221017-kdjcgabcdn 817/10/2022, 08:08
221017-j1pmbsbcbl 817/10/2022, 05:56
221017-gnhxxaage2 1016/10/2022, 16:18
221016-tsd6qshgc7 8Analysis
-
max time kernel
1527s -
max time network
1484s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17/10/2022, 05:56
General
-
Target
http://we.tl/t-dIsTXRtNmc
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 7 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 61 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 45 IoCs
-
Modifies data under HKEY_USERS 7 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://we.tl/t-dIsTXRtNmc1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa660d46f8,0x7ffa660d4708,0x7ffa660d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5500 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x12c,0x128,0xcc,0x114,0x7ff61afa5460,0x7ff61afa5470,0x7ff61afa54803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6420 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6644 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1308 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1068 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14135804046387389964,12486647397967582804,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_mbr_builder\start.exe & exit2⤵
-
-
C:\slam_mbr_builder\ndp472-devpack-enu.exe"C:\slam_mbr_builder\ndp472-devpack-enu.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\{B6A5ECDF-7434-4D33-B1ED-E093A9010C00}\.cr\ndp472-devpack-enu.exe"C:\Windows\Temp\{B6A5ECDF-7434-4D33-B1ED-E093A9010C00}\.cr\ndp472-devpack-enu.exe" -burn.clean.room="C:\slam_mbr_builder\ndp472-devpack-enu.exe" -burn.filehandle.attached=568 -burn.filehandle.self=5763⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Temp\{F446DA32-49C0-4744-B37E-C0DBAA52E1A3}\.be\NDP472-DevPack-ENU.exe"C:\Windows\Temp\{F446DA32-49C0-4744-B37E-C0DBAA52E1A3}\.be\NDP472-DevPack-ENU.exe" -q -burn.elevated BurnPipe.{0CD9BA20-388F-4176-95ED-2FB0582BE369} {B0BE8111-805C-4BFB-B15F-2DBA1405FAD0} 19684⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_mbr_builder\start.exe & exit2⤵
-
C:\slam_mbr_builder\start.exeC:\slam_mbr_builder\start.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F411.tmp\start.bat" C:\slam_mbr_builder\start.exe"4⤵
-
C:\slam_mbr_builder\smbrb.exesmbrb5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd BOOTLOADER & del BIN\*.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm & BIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm & BIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm & BIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm & BIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin & TOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=1440 & TOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img & TOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=3 & TOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=5 & TOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=1 & exit6⤵
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=14407⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=37⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=57⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=17⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c MSBuild MbrOverwriter\mbrcs.sln & pause6⤵
-
C:\slam_mbr_builder\MSBuild.exeMSBuild MbrOverwriter\mbrcs.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\slam_mbr_builder\Roslyn\VBCSCompiler.exe"C:\slam_mbr_builder\Roslyn\VBCSCompiler.exe" "-pipename:nVPhx1j0lFfdXs1tAOBeL3YcrBffq697F3mTz2k6ECM"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_mbr_builder\start.exe & exit2⤵
-
C:\slam_mbr_builder\start.exeC:\slam_mbr_builder\start.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65DD.tmp\start.bat" C:\slam_mbr_builder\start.exe"4⤵
-
C:\slam_mbr_builder\smbrb.exesmbrb5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd BOOTLOADER & del BIN\*.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm & BIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm & BIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm & BIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm & BIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin & TOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=1440 & TOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img & TOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=3 & TOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=5 & TOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=1 & exit6⤵
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=14407⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img7⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=37⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=57⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=17⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c MSBuild MbrOverwriter\mbrcs.sln & pause6⤵
-
C:\slam_mbr_builder\MSBuild.exeMSBuild MbrOverwriter\mbrcs.sln7⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM VBCSCompiler.exe & taskkill /F /IM cmd.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VBCSCompiler.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM cmd.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM VBCSCompiler.exe & taskkill /F /IM cmd.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VBCSCompiler.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM cmd.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 961FAB650BE618E655E38DAB14A677F02⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4DB5FD7DA2F9FD6F9D100C2BC3F926AE E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\aspnet_merge.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\aspnet_intern.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\ResGen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SqlMetal.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\TlbExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\TlbExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\wsdl.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\wsdl.exe" /queue:3 /NoDependencies3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\xsltc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SvcUtil.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x1501⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe/updateInstalled /background4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\Desktop\slam_mbr.exe"C:\Users\Admin\Desktop\slam_mbr.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\slam_mbr.exe"C:\Users\Admin\Desktop\slam_mbr.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\slam_mbr.exe"C:\Users\Admin\Desktop\slam_mbr.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\slam_mbr.exe"C:\Users\Admin\Desktop\slam_mbr.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\slam_tools_pack\NeoConfuserEx\ConfuserEx.exe"C:\slam_tools_pack\NeoConfuserEx\ConfuserEx.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\slam_tools_pack\NeoConfuserEx\ConfuserEx.exe"C:\slam_tools_pack\NeoConfuserEx\ConfuserEx.exe"1⤵
- Executes dropped EXE
-
C:\slam_tools_pack\slam melter setup.exe"C:\slam_tools_pack\slam melter setup.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-MQTG0.tmp\slam melter setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MQTG0.tmp\slam melter setup.tmp" /SL5="$120514,887382,781312,C:\slam_tools_pack\slam melter setup.exe"2⤵
- Executes dropped EXE
-
-
C:\slam_tools_pack\slam melter setup.exe"C:\slam_tools_pack\slam melter setup.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-209S4.tmp\slam melter setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-209S4.tmp\slam melter setup.tmp" /SL5="$8056E,887382,781312,C:\slam_tools_pack\slam melter setup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Programs\Slam Melter\slam melter.exe"C:\Users\Admin\AppData\Local\Programs\Slam Melter\slam melter.exe"3⤵
- Executes dropped EXE
-
-
-
C:\slam_tools_pack\slam melter setup.exe"C:\slam_tools_pack\slam melter setup.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-H3789.tmp\slam melter setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-H3789.tmp\slam melter setup.tmp" /SL5="$405A2,887382,781312,C:\slam_tools_pack\slam melter setup.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Programs\Slam Melter\slam melter.exe"C:\Users\Admin\AppData\Local\Programs\Slam Melter\slam melter.exe"1⤵
- Executes dropped EXE
-
C:\slam_tools_pack\Lime-Crypter.exe"C:\slam_tools_pack\Lime-Crypter.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\slam_tools_pack\exe2bat\exe2bat.exe"C:\slam_tools_pack\exe2bat\exe2bat.exe"1⤵
- Executes dropped EXE
-
C:\slam_tools_pack\exe2bat\exe2bat.exe"C:\slam_tools_pack\exe2bat\exe2bat.exe"2⤵
- Executes dropped EXE
-
-
C:\slam_tools_pack\exe2bat\exe2bat.exe"C:\slam_tools_pack\exe2bat\exe2bat.exe"1⤵
- Executes dropped EXE
-
C:\slam_tools_pack\exe2bat\exe2bat.exe"C:\slam_tools_pack\exe2bat\exe2bat.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
Filesize
1KB
MD53bc1443386ca1911f35759eba2cf52d1
SHA17b4dbb3d168eb9e88adc9a4899657768c7322d8a
SHA2563f172427dcb8fb168768a5a0831c48e97724b0984f03b7fb4d2c38d112368846
SHA51204d4bf07487ad54cba1f0dd9e2462cc4da67b7ca20a3d75f8518469bae11556f2ce7238bcd75d09715e434bc789fd0c88fe61a1d615f98a88f5d5e623c9f8cd5
-
Filesize
503B
MD5358d9db3d84f18ed8c5ff78507f95745
SHA19ee4ac2081c34cc66bd0f3ff2e852592cfd1d34e
SHA256db855bf96f52b779fd59e96709519d70f54b15f595bfdbe1c7fd8b79be122946
SHA512d5a76e162fe0736ecde8f8d696a78adea1236c321e299b1e2cb94e162304b5d5b8c78e202597aec5ef8a1b2833736a66b24c25c7ace8b1bb3d86c07c50fe4001
-
Filesize
1KB
MD55c344864df047fd721d1377d3304ff0b
SHA1c014aff02897a166fa47b9171c87b733a24eff02
SHA256b8a7647b51be2904afada746d0cb0791a266507435466dfd60c75dbd7509e16b
SHA512b2ca080909057d57d4e38b22d72834f51e044d24a643c5a0440c1f1a3baaa0139e2244a4ad015e0b839116c42ccb8826ee071e2db90763c02f4dcfd588b76bf8
-
Filesize
471B
MD5a1fa0003a52ebb324daef7beffac914a
SHA105a4f39bebde05937dfefcddb4eaf3c6934a3216
SHA25600fd170b5c3ca6ff33acc4ca1ae96f14000aca8692f038d639793eeb4881cfb2
SHA512470ba58cf873bb1b0e34c7f8f7f73a80c842807e5d1bb2520fbe2dbf6f5bde0f7c911af9c4c062be16c128e2a24bcc4bf81244f5ec7fbfc4287a30136848536f
-
Filesize
1KB
MD5d35cb93ad78a7e29785d4eb5fc25ab0e
SHA1d1c0a3b38708b84a4198989ec13f086bfb79bb56
SHA2567a16d6bd9ec044e74c7327462bd175518d199fe8fd2fe7d69ded48b6c707366c
SHA5122148ec93a665e1a899ae1ee79b01968195e4c62378afd7feb519fe53944e9f18e466e89841cb9ee33231ad3f47ff933584732222fbe97bb928e497e7a7139cd8
-
Filesize
471B
MD59d0d86b3c55d84e4eeb79db7eb51dbe9
SHA1becc572560f027b77a2e8d7c68c5a2f26b3df24c
SHA2562257c1309e27d56b6a389438958c2c220f4611eca403946273af43adda90d25e
SHA5122183c044adfa85a0124b587eb59968881cf0c4b01a462077e3bbe36d8cd13d3ee4d708be617d770783def8d3a4dad04128e0426a6c3fb3fd9bb16cd2cfd10783
-
Filesize
279B
MD541bf6f5bc023a1b62dddbf3a03cdc87a
SHA183cabb42c754e9c1538e5ebf6c56696d73f237f8
SHA2565de11a60d23b08916fd76f7242b24555ac6ea0c7b9bfca28fa568925da789152
SHA51268c8925beb701dc497553045585221edcbbab07ee7cd4cc794d1096737cf415d44ecb3b07332e084cf7204ee0807cff81e04290bde6e2035f64919adb6ff1685
-
Filesize
1KB
MD5d59a05ba9c5285f503985b3b3cb8c7b9
SHA1b0e1468c2510508f4c4f258b7af5b2d389d02b1c
SHA2560166287ab72cc9f6e35c7c0d5488a8bb5fcf150052ac087f1720d00f56bbc085
SHA512ca1c1b6acb5ffd191109a57c8537f61baef343bd87298dab440e91a7cd6e7a3ba3322dcf5b79247ae9c47780c8331889a68734d8a1e31282ed887d661dd4ae4c
-
Filesize
1KB
MD5cffb3bb22aad98d90d0869f156630add
SHA17be59bbb4a70a606da964bd3af2d96e1f5b68c3d
SHA2563d7dafcc27fe8333df20bd4398ea56b592eceea8e126298fba1ad86caacb9ea6
SHA512401c6dab268fdecfea5fa5f5a4d9c562cc1944f32098ef152d211376846f24176606454ba3e79516aa8b02bbb1b8bbd7757510d32f530942c455a5ee6e31f23b
-
Filesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
Filesize
471B
MD5605901c6e42550516f2f8f55bdb77e58
SHA1d766e9a80c7c8b461f5e68fc383ca892c1e23307
SHA25639c2931465cffbe0f394c2dd1bed1833da893915af6c0dcb5a63939369909cf5
SHA5129fb19fc02c33d3a73bef90bd1b24db4c8ed479cea771adafcd473f931a3fbd34677323424711da15fa7a99c721b4e4538fa2b4001b0dd397f338c9a94b728480
-
Filesize
192B
MD56a5b83c3e961efa5e97ea953a5901d09
SHA15170e115c8b0e09342f8b2470276284d269db9a5
SHA2562cac80cc103bf6b20a1bb30beec9d6d5f275362538c2e1e14b3ebe9b13c5b605
SHA5128158753cde209d9e5b19a91be61902ad8cffc3afe4b17a55ac56ad2b71806a66399c8369df7a0eb05b17fccd1728b35004730d6e9452718a124f090b0f1ff978
-
Filesize
410B
MD5c8b5cb44046add0710db2ee7436aedae
SHA1601971f8254f800132971f46904620b741befafe
SHA25622c682956f7d760256f179c2f1e7dc8f2047429318b34c3c11824867a2acec23
SHA5120d9917e68ab6112ebef7699d8bc4729b011595ca68aa61e339e7ae46ce0b05caa66d72a5dbaf50636ee3063c86b80f4cd3c0bda87b4b0617e89adb356c2c4c0b
-
Filesize
552B
MD5d1232be8a13e22684a49a8252c67841a
SHA1fedebfffe29fe0edae34773ea3bdbff6d676fff0
SHA256f807143ad81d56116c50aa4c9f4fe81d7eb0fa918e17170a7516518d1d1cae5e
SHA512249515afb0034fbf784c94a7216c944156f8d52da4d7d6e2612b04bc987b3863d69487d5038ffca81587e9203982573edbd4cde9c3bc74072362bb83941c1393
-
Filesize
438B
MD54faad7e58e6afc01327317f4aa932410
SHA1e1c55d8f1c17ead6d0189536a8540b9676183991
SHA25613fe3ea4a283bf809056fb6475b10248873aad7b0fedce52e27b16a2c37949ad
SHA5122ed4b38b11fa01c741f8b193c4cd663782ba9069d9b7e5a5572251d2b2a75684c93fe154e7f3b9c378ce69b634726a4112b8cb3b08967ced4ec2ad81617cac56
-
Filesize
434B
MD50cb125d2a778138086abb5af873cb0a5
SHA1553bb9b3344842f3c918af266d802123e4b177f9
SHA25657d297eb73e1c3a3e4adda38eb27ee6eecf19c63ea3a83c32b9f55ddca1c4f25
SHA512877dcb32766265f27b043e31e89215c545242c735807f9c50ba62dcb1bb2ab3246f703d7fdc0c9929584bf31f49d019782810f25b39de8f4f40e903af940da8b
-
Filesize
442B
MD58ad737c6e4f260c22ce982fdfe27952e
SHA121165606d06a270ae4d0e60369403d45e1661863
SHA256ce628a883edaaa33db14c515237090db383ccd063d1253094d92617adf26ed68
SHA512431a839282e024aebbedc41e4279d2ce500a335c49a8ae058449137e7958acd08e60fb19cb37fb3d8b4a3e35d9f7bdc73bfb4bbecf68a894d559cd886dac19c5
-
Filesize
444B
MD58c435d5be3360169e1dc16849ba340ce
SHA17431998607feda8811f0628f44db492f0dc76ef3
SHA256190a606c7302546e7195b7060cecd665e6bf56287c7050f3750db5b78757fdb0
SHA512485872e38a3061d77d739c448af9b8ca8472da6d709a9becec179b09ccd5020211a0b20a7e2a6a13b84f69cd29e0c5efe6d534f03281e7d05f50c705b02899b5
-
Filesize
430B
MD5afb5a2cef2555e3e5bfe7c744483461d
SHA1e77216ccbd7c802f72626d2ce30f06411ea4f990
SHA256c755da1a640a23d783b925d7252abfa5143f3311d5188a9cab088f6db9e1ed9e
SHA5128597b82ecf180d444be8d87d62d8520003ab38c5874704d7f599500f9013568376d8a25a8e5b2940e11ee78fb0fae2992ec9e4ff1b5b6c5889ad58fd63fb12d1
-
Filesize
458B
MD58106b0a74dff5e1de4ed35faf3f09813
SHA1251724f42d1b6a4e06cbd97acdca3e62c5f8cbfa
SHA2566007a79fce68bce2a4c5bed10bede5fdb8bc11a776a61e7ef4729069d16ba4b6
SHA512264f9dbebbbbca8ea71cfb97a5a7c9bd215fdce24e4e2b7723a44b31660caca5fae51682bf1301f47474f03837d06575fc32397ebe483b6cc24fc4140f0019b3
-
Filesize
432B
MD549b4585eaeef35b33a672370bcd6d2c4
SHA185d4fda80ee088f7ac5281c0ca0b2b63670b7c10
SHA256fe5ccf3c6fe5350be007ef7e16d5cc9bec5849e9a4fe6a785eb4aad03cd8bc3b
SHA51206c706a7bea83947de6c7e8ce2ec1c6dc0f4d58a28e8b69161bb8dec4df5d438254e66686d929a52ec2fa490f4c9258fdbe20ec2fd4ca4211c011b9883860838
-
Filesize
392B
MD57d6a5eee30488368dfa4f2a3f1eaed47
SHA1389887ebbfb0835ae5924a9b488cc2a2240f4118
SHA2569caecb232cb93155256ef498e99c14b44d7c451fe4952bb47b70e00bb186c884
SHA512dd23314c4765f29b8ff34f166c1fcfb6c271cce9337e3ffa0b5fa679ab1afd29da85a46ac66b3202f31cb85024b8375c49188a05497588ecf9c6a85dc4765b29
-
Filesize
406B
MD59ad404751d23b8996574f52216c00278
SHA1be95bc59486884d54fab84b4804314f8718a95a6
SHA25619342ac35fa493f9e8420378908c275f69c8508d147a3bb37e2d1750f188bf41
SHA512ac6947ab73e5d72d3cf2cecb8845ced85504de78bd34d345224c107bb39c1593535b0642ff97fa7dd149189c09307ae812559e4726cd616cf2e9421eca6d2a54
-
Filesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
Filesize
4KB
MD5196d785ebbb4c59a4581a688cf89f25a
SHA15764ba17b0f0eff3b3ee2feaa16254c7558ea231
SHA256785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40
SHA512b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7
-
Filesize
41KB
MD5613796adb43bf9c8bedcfedd43e85dc1
SHA1e1b39980d8e8e217866e0d753bfe9e6d524971c6
SHA2564176f816751266c0881ccaa1cb599ce14543d61e0b696a8ffb69c25bde29879b
SHA512f188888375b6c9c597892a1dbc33774ad83ba763d31ec891ee09ea7a551ae0c78cf8e1126934be3cbe1830c738a0b0ef929d5f60bd33556b6954ffde0c2c3f54
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
611KB
MD5ff15ef3b3739c3163b44c48fdea12cd6
SHA160c5165354cc235c95b77081f835c2310bc8dfdf
SHA256f39b7dccb4c4cfbe0ad2e52f22ae427359a7b8660c65a02ffa481046db3abca2
SHA5129f0472d5a8b957cbf79ddae5840f6875978b9d79aaaab23addf64d6723362ada9620d31df867423373457ec412885db8bafb3aa125b3d2cfd2d72ec65e6106e2
-
Filesize
611KB
MD5ff15ef3b3739c3163b44c48fdea12cd6
SHA160c5165354cc235c95b77081f835c2310bc8dfdf
SHA256f39b7dccb4c4cfbe0ad2e52f22ae427359a7b8660c65a02ffa481046db3abca2
SHA5129f0472d5a8b957cbf79ddae5840f6875978b9d79aaaab23addf64d6723362ada9620d31df867423373457ec412885db8bafb3aa125b3d2cfd2d72ec65e6106e2
-
Filesize
184KB
MD57b0c3d6557dbfdb0975fcbdcd6c5a3f8
SHA1e05fe61ae8ec7b99026b4c049b398050d8db1f99
SHA256d2a85fcc870827e8bf8ca2fca45ae36e77a267cb3d7828d16f77b4d5f4a4c962
SHA5126844d1897d5d0ed159ce8a48d9aae5b068e372b99f653db558ff5e0f91f7ff223b0274632e0d4c984f83ef72a59fddb6006338c2337f100f10ed566c055ba908
-
Filesize
611KB
MD5ff15ef3b3739c3163b44c48fdea12cd6
SHA160c5165354cc235c95b77081f835c2310bc8dfdf
SHA256f39b7dccb4c4cfbe0ad2e52f22ae427359a7b8660c65a02ffa481046db3abca2
SHA5129f0472d5a8b957cbf79ddae5840f6875978b9d79aaaab23addf64d6723362ada9620d31df867423373457ec412885db8bafb3aa125b3d2cfd2d72ec65e6106e2
-
Filesize
611KB
MD5ff15ef3b3739c3163b44c48fdea12cd6
SHA160c5165354cc235c95b77081f835c2310bc8dfdf
SHA256f39b7dccb4c4cfbe0ad2e52f22ae427359a7b8660c65a02ffa481046db3abca2
SHA5129f0472d5a8b957cbf79ddae5840f6875978b9d79aaaab23addf64d6723362ada9620d31df867423373457ec412885db8bafb3aa125b3d2cfd2d72ec65e6106e2
-
Filesize
104.5MB
MD5b24cc35845ec4baa9a1c423246073f89
SHA1563cce70f2aadf9ce81017696a7111f33745a587
SHA256878fdf9f137b1466855de995c793b466cd50fccc523d1f41250567973623180c
SHA51209f8a140e030405ce1e09d57f9fcb5058903aa3309e095602c03fb73801f5d10e0170bfc3d90988df5cf018b40d2f9020c3f338e54d2ef5ba36ddf1b5c851aea
-
Filesize
104.5MB
MD5b24cc35845ec4baa9a1c423246073f89
SHA1563cce70f2aadf9ce81017696a7111f33745a587
SHA256878fdf9f137b1466855de995c793b466cd50fccc523d1f41250567973623180c
SHA51209f8a140e030405ce1e09d57f9fcb5058903aa3309e095602c03fb73801f5d10e0170bfc3d90988df5cf018b40d2f9020c3f338e54d2ef5ba36ddf1b5c851aea
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
184KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
432KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
128KB
-
Filesize
1.1MB
-
Filesize
224KB
-
Filesize
72KB
-
Filesize
336KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
584KB
-
Filesize
39.3MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
104KB
-
Filesize
360KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
1.3MB
-
Filesize
400KB
-
Filesize
152KB
-
Filesize
2.0MB
-
Filesize
304KB
-
Filesize
328KB
-
Filesize
32KB
-
Filesize
272KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
4.3MB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
520KB
-
Filesize
10.8MB
-
Filesize
10.8MB