Resubmissions
18/10/2022, 01:25
221018-btf3lsebgp 118/10/2022, 01:23
221018-bsbfqsdhf5 117/10/2022, 09:00
221017-kyevsabca2 917/10/2022, 09:00
221017-kyaaasbbh7 117/10/2022, 08:48
221017-kqj5jabbd6 817/10/2022, 08:37
221017-kjge3abcer 8Analysis
-
max time kernel
556s -
max time network
546s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17/10/2022, 08:37
General
-
Target
http://we.tl/t-7si6bGYMbk
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
-
Modifies extensions of user files 34 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 30 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 38 IoCs
-
Modifies Internet Explorer settings 1 TTPs 42 IoCs
-
Modifies registry class 42 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://we.tl/t-7si6bGYMbk1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4840 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa1fd46f8,0x7ffaa1fd4708,0x7ffaa1fd47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5704 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff630825460,0x7ff630825470,0x7ff6308254803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7272 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM slam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit3⤵
-
C:\slam_ransomware_builder\start.exeC:\slam_ransomware_builder\start.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F5F9.tmp\start.bat" C:\slam_ransomware_builder\start.exe"5⤵
-
C:\slam_ransomware_builder\slam.exeslam.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp45dc9a873bd443e6bf5ed50c83fa2c52.rsp"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES407F.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSC836BD4FABFD14F7EAEC2C2E8F5BD40A1.TMP"10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4467.tmp" "c:\slam_ransomware_builder\CSCEBBF3D5DF366446B855B9E33F211C684.TMP"9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp20fc884b31104893a1ecccf04d633df4.rsp"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60BB.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSC646A87BB1A0D4D4E89B3CD79B52C7C40.TMP"10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES632C.tmp" "c:\slam_ransomware_builder\CSCF90D7ACBD5F742B19D92F2F42DA5F84.TMP"9⤵
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7472 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=176 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11339628018193370389,10540675312971013152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
Filesize
1KB
MD53bc1443386ca1911f35759eba2cf52d1
SHA17b4dbb3d168eb9e88adc9a4899657768c7322d8a
SHA2563f172427dcb8fb168768a5a0831c48e97724b0984f03b7fb4d2c38d112368846
SHA51204d4bf07487ad54cba1f0dd9e2462cc4da67b7ca20a3d75f8518469bae11556f2ce7238bcd75d09715e434bc789fd0c88fe61a1d615f98a88f5d5e623c9f8cd5
-
Filesize
503B
MD5358d9db3d84f18ed8c5ff78507f95745
SHA19ee4ac2081c34cc66bd0f3ff2e852592cfd1d34e
SHA256db855bf96f52b779fd59e96709519d70f54b15f595bfdbe1c7fd8b79be122946
SHA512d5a76e162fe0736ecde8f8d696a78adea1236c321e299b1e2cb94e162304b5d5b8c78e202597aec5ef8a1b2833736a66b24c25c7ace8b1bb3d86c07c50fe4001
-
Filesize
471B
MD5a1fa0003a52ebb324daef7beffac914a
SHA105a4f39bebde05937dfefcddb4eaf3c6934a3216
SHA25600fd170b5c3ca6ff33acc4ca1ae96f14000aca8692f038d639793eeb4881cfb2
SHA512470ba58cf873bb1b0e34c7f8f7f73a80c842807e5d1bb2520fbe2dbf6f5bde0f7c911af9c4c062be16c128e2a24bcc4bf81244f5ec7fbfc4287a30136848536f
-
Filesize
1KB
MD5d35cb93ad78a7e29785d4eb5fc25ab0e
SHA1d1c0a3b38708b84a4198989ec13f086bfb79bb56
SHA2567a16d6bd9ec044e74c7327462bd175518d199fe8fd2fe7d69ded48b6c707366c
SHA5122148ec93a665e1a899ae1ee79b01968195e4c62378afd7feb519fe53944e9f18e466e89841cb9ee33231ad3f47ff933584732222fbe97bb928e497e7a7139cd8
-
Filesize
471B
MD59d0d86b3c55d84e4eeb79db7eb51dbe9
SHA1becc572560f027b77a2e8d7c68c5a2f26b3df24c
SHA2562257c1309e27d56b6a389438958c2c220f4611eca403946273af43adda90d25e
SHA5122183c044adfa85a0124b587eb59968881cf0c4b01a462077e3bbe36d8cd13d3ee4d708be617d770783def8d3a4dad04128e0426a6c3fb3fd9bb16cd2cfd10783
-
Filesize
7KB
MD5fd7cc523eb62af42936754247645337d
SHA1d47cfe0b55e8279c218ad6cd91f029c89949783d
SHA2560d882d0a2469f4d01f5eb86d7cf45299f235ee7e4188fe66c736db9a20bcf442
SHA5129d9378e4d3c07da83f120254d19d261042bab9ba1537d5e5f6e4581113152fc6b66c27ef85dfab7b55381fe341f7c4d92945e590958d5b735cff8ddc92a10ce8
-
Filesize
279B
MD541bf6f5bc023a1b62dddbf3a03cdc87a
SHA183cabb42c754e9c1538e5ebf6c56696d73f237f8
SHA2565de11a60d23b08916fd76f7242b24555ac6ea0c7b9bfca28fa568925da789152
SHA51268c8925beb701dc497553045585221edcbbab07ee7cd4cc794d1096737cf415d44ecb3b07332e084cf7204ee0807cff81e04290bde6e2035f64919adb6ff1685
-
Filesize
1KB
MD5d59a05ba9c5285f503985b3b3cb8c7b9
SHA1b0e1468c2510508f4c4f258b7af5b2d389d02b1c
SHA2560166287ab72cc9f6e35c7c0d5488a8bb5fcf150052ac087f1720d00f56bbc085
SHA512ca1c1b6acb5ffd191109a57c8537f61baef343bd87298dab440e91a7cd6e7a3ba3322dcf5b79247ae9c47780c8331889a68734d8a1e31282ed887d661dd4ae4c
-
Filesize
1KB
MD5cffb3bb22aad98d90d0869f156630add
SHA17be59bbb4a70a606da964bd3af2d96e1f5b68c3d
SHA2563d7dafcc27fe8333df20bd4398ea56b592eceea8e126298fba1ad86caacb9ea6
SHA512401c6dab268fdecfea5fa5f5a4d9c562cc1944f32098ef152d211376846f24176606454ba3e79516aa8b02bbb1b8bbd7757510d32f530942c455a5ee6e31f23b
-
Filesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
Filesize
471B
MD5605901c6e42550516f2f8f55bdb77e58
SHA1d766e9a80c7c8b461f5e68fc383ca892c1e23307
SHA25639c2931465cffbe0f394c2dd1bed1833da893915af6c0dcb5a63939369909cf5
SHA5129fb19fc02c33d3a73bef90bd1b24db4c8ed479cea771adafcd473f931a3fbd34677323424711da15fa7a99c721b4e4538fa2b4001b0dd397f338c9a94b728480
-
Filesize
192B
MD548808c5fea227721477e670a0c67b431
SHA11570162160ac7c3abfa001fbc2bbc6f1c986c2f9
SHA256107bdead340abe6408d9df44e672b81939be6b67354c13a9e564980917ae5159
SHA5127ba183d2df7c2ef188c0b40dfe1dc7234388358789b0292ccdcc037a65bd0e1ebac9872f568de9ce8451e9e0a52ab754e636dcdcea988a6490ed4fe47d81eec2
-
Filesize
410B
MD5b4dc41e9250cc2c98553236ad1422c21
SHA17b6e443f213d1f90cd8df1c3a1950c3bb41abce1
SHA256f6d5bff01643a988dd017c22b31aba1252051451e7836322365d6d911f3c1e1a
SHA512d79ce4c336040d39026ad2ec5fbdb141fe21bdb0968eff2010f890d961428210f7544b646a05d9b4c8416c464f61852374030e0eddd00fc3a5ec68e12ff4a47c
-
Filesize
552B
MD5078afbbf73724e399c620ff93c47724f
SHA1c864487380bf7623aeddcc38f547fb4a9462edb3
SHA256ba19f5718a0a38d39b2a848f499978f67c26ec0fb95c1a9cde60168326246294
SHA512ad0d2d68afbc1aa0d225110ea87b94d3b212b28849409f0aaee4ee63db3a01703987bb2a1b1224d625346a02491cef297af2301c9f01bd8c8c284f1cd4882407
-
Filesize
434B
MD5d16cf36407b39ea6cb8121c1779014a7
SHA1fe6bbde474cd19936cb4e54a759ec4fb20401410
SHA256fa4b8945b0c1ffcac28e7a270360b113dba298c2bf320227fec96f6535efb5a3
SHA512581c36cf99c26b931c3259450abffe5332cbd5dc461df1f92d7ab78ea88b04c55a340fb5b769932eb57718eebe6ff4d67a9773335c581a493f21272632578670
-
Filesize
442B
MD582fa07cb23ceb9fa4dfc95b727dff4fc
SHA1b38b2e6c0d309170ff61d3b716a69d55bb82465c
SHA256838847333427cb8719d1f8da063fcf74b583b94f560ec310a1b317aa96560c8b
SHA5124eec405d4faad28a62ea37c9ac46da5df589b30053678c7cf1743b591a506c921f3299e1108b098311ebc5650dc18755f7653f77adafae3efd31285fe2c9a5ca
-
Filesize
444B
MD5b1ed9be4443f5c1a0012871208524d08
SHA117975b6f02154edae0d0d16d8cf237f797ef04cf
SHA2565dbf6578e0a84d3c9a1dd9fa000ac30686323ae0c306e89f6f54a06360e39b8c
SHA512ddecb256622843b07fc64eb1b3c4834c6ebbf27e3f919d966a0e30cdc1a2e96e0bc091ba7b7062949ccce71019db5665a86f8f088513a6ef3481dc56079be9a4
-
Filesize
226B
MD53ee8cae00cbf9fc29a99a66c417732ec
SHA15c89b1b43bbbdadba0aeb3d28f71c5f07736f092
SHA25612c6c1195f7b789ae219387f82ef53fd6d7aec207e4baeb8185e9c0d57604cb4
SHA512105f53b9fa908b12563b233515968f0bf54e69fea1ca95f11f50d201f42c863ce67f5f684c98beffc91cda27581a7380cb8333e4b3a7f2b404acb1830dd8dfe6
-
Filesize
430B
MD5d7565da44af9dc9a5a4ce7c01054208f
SHA14ab8787335194e32a19b7b153538ca6a92e1f9af
SHA256d655c49e3d71de0fc58997e00aa719e9bac63a64e0d11bab521f049d5dc6f65c
SHA512b386c50e7ed12f9f583792a3267355550395fe781e5d023b221cd6ce0659205f63db80426fb69c6525dc23c7542d1ddbd9468c9715c402716c4b32410b349844
-
Filesize
458B
MD58111717393d1b0e7795fda8ca4122e21
SHA14d42ad94871cbf35145261d2ce9c92ce90d864c4
SHA2564e2862e998361f7a7c33163307370f37d4ed77584bb2f395b540295d10227343
SHA512ac1dab715f8124827169259f406e2541f9504cbac72acd76d5481c5dbf900e7d08679cc0c2ce99c74da3bc7294a2739c9d8ec580d5751447c5494f26e3a86194
-
Filesize
432B
MD5abd0bc2e30f069274686cd48cf073d73
SHA1abb9e4a620900ff32b7c11be9806bb4f3d0faa15
SHA256e37bd751c48cd961ed045be47f8901eef6b9e8d34fd6131be7b691c43aea521c
SHA5123e03de40d45f5c54ff382e2475a54aec68ea3c169703b890b9148a9b8c8b4ae0918613c045a73e73160aad10201b0071832ea9b5d49fd6abe9c4715fd2034252
-
Filesize
392B
MD51883a8c0601ba0d36028813e8a23c2dd
SHA11b103ee78464a0bdc09f058178f6d7fc2ef7ea11
SHA2564e3e17524e782d61df8df940e0d8e88aca4d4fee6885685a74eeae257ab92d6d
SHA51271e4466fe2c33bf17c9cbad813962ce4911a1a3d81f2cfd25a5d62e3e2ddbf6125ee64c9d0787eff317e816318981e2e0b85154295a2f17e66a66db8d77a6567
-
Filesize
406B
MD5158dea97075c5c809b070b2cb071b597
SHA1013030cb526413808bd111250bcf77974d15a7fb
SHA256738353c057f7773a2801df81922fbc16afd2da246f24cdc16cd2cdbe374ce578
SHA5129685ae62971186672da84a3cd58ec69bd60c253cce3f484fdd4f6e8b870f420e27cb561294d729bfefa25352952575be8ecb18520493ab9f3292651ffa986b5b
-
Filesize
41KB
MD5c015d39c0e3b215f28b4bbf38bb4cf7b
SHA15bbcc9f6a54de3e9b0aa0cc45855d524354d4eb0
SHA2563f1e832798c2ef4606e34cb65118f56226b316bcd72037ab58dea5fa1397ee87
SHA5128dbf872d7b58542424e5a0dda01e5cc2d0eb517388585b3a1766ea774360281e23b4545a045abb9daa3eda9ff95bdd0cf407724582228c05f077aefd697b9747
-
Filesize
96B
MD52615bf9ed6d2e854c0602ef8fdd787df
SHA14e0682a961ee43b9ddce5b3c03c83945d7d0cc40
SHA256a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493
SHA51224ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
569B
MD56ae5c2395170e2d6d29d4f1e95e676e6
SHA1533905ab44c6c68b58212f62202549646e23f2f6
SHA256c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f
SHA512492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
556B
MD5a08e9477bcf35558054417f16a5f5617
SHA15853ada9553643a039b1b56324f0c95226179c44
SHA2567ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2
SHA5122f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
1.6MB
-
Filesize
352KB
-
Filesize
624KB
-
Filesize
496KB
-
Filesize
408KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
272KB
-
Filesize
160KB
-
Filesize
256KB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
192KB
-
Filesize
6.0MB
-
Filesize
1.1MB
-
Filesize
3.4MB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
2.0MB
-
Filesize
704KB
-
Filesize
5.4MB
-
Filesize
1.5MB
-
Filesize
2.5MB
-
Filesize
39.3MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
72KB
