hxxp://we[.]tl/t-ZRlwhHea1p

max time kernel
167s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://we.tl/t-ZRlwhHea1p

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	test.exe

Executes dropped EXE 5 IoCs

pid	Process
5628	slam ransomware builder installer.exe
1292	start.exe
5408	slam.exe
4216	MSBuild.exe
1340	test.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\LockGroup.crw.SLAM	test.exe
File created	C:\Users\Admin\Pictures\PingDebug.crw.SLAM	test.exe
File created	C:\Users\Admin\Pictures\ResumeWait.tiff.SLAM	test.exe
File created	C:\Users\Admin\Pictures\SaveDismount.tif.SLAM	test.exe
File created	C:\Users\Admin\Pictures\DebugApprove.tiff.SLAM	test.exe
File created	C:\Users\Admin\Pictures\FindEnable.tif.SLAM	test.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	slam ransomware builder installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	test.exe

Loads dropped DLL 6 IoCs

pid	Process
5408	slam.exe
5408	slam.exe
5408	slam.exe
5408	slam.exe
4216	MSBuild.exe
4216	MSBuild.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	test.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221025025757.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a3f76bfc-4a75-4b58-896e-2040dc920983.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
5172	taskkill.exe
2408	taskkill.exe
6124	taskkill.exe
2952	taskkill.exe
1672	taskkill.exe
6024	taskkill.exe
5564	taskkill.exe
824	taskkill.exe
3732	taskkill.exe
1776	taskkill.exe
5428	taskkill.exe
5164	taskkill.exe
5612	taskkill.exe
2160	taskkill.exe
4708	taskkill.exe
3480	taskkill.exe
1528	taskkill.exe
4332	taskkill.exe
1232	taskkill.exe
5324	taskkill.exe
4352	taskkill.exe
2252	taskkill.exe
4100	taskkill.exe
2804	taskkill.exe
2344	taskkill.exe
3352	taskkill.exe
2172	taskkill.exe
2480	taskkill.exe
6008	taskkill.exe
6024	taskkill.exe
5400	taskkill.exe
6004	taskkill.exe
5908	taskkill.exe
4904	taskkill.exe
3620	taskkill.exe
5020	taskkill.exe
2660	taskkill.exe
4000	taskkill.exe
5740	taskkill.exe
5940	taskkill.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	slam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	test.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000059556e171000534c414d5f527e310000600009000400efbe59554b1759556e172e000000df2f0200000007000000000000000000000000000000353dfb0073006c0061006d005f00720061006e0073006f006d0077006100720065005f006200750069006c00640065007200000018000000	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	slam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	slam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	slam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	slam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	slam.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	slam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	slam.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 327404.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5528	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	powershell.exe
3320	powershell.exe
4036	msedge.exe
4036	msedge.exe
2616	msedge.exe
2616	msedge.exe
5260	identity_helper.exe
5260	identity_helper.exe
5552	msedge.exe
5552	msedge.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe
5628	slam ransomware builder installer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	5628	slam ransomware builder installer.exe
Token: SeDebugPrivilege	6024	taskkill.exe
Token: SeDebugPrivilege	1340	test.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	5400	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	6008	taskkill.exe
Token: SeDebugPrivilege	6004	taskkill.exe
Token: SeDebugPrivilege	5908	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	5940	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	6024	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	5428	taskkill.exe
Token: SeDebugPrivilege	6124	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	5164	taskkill.exe
Token: SeDebugPrivilege	5324	taskkill.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
1340	test.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1340	test.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5408	slam.exe
5408	slam.exe
5408	slam.exe
5408	slam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 3588	2616	msedge.exe	84
PID 2616 wrote to memory of 3588	2616	msedge.exe	84
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 3792	2616	msedge.exe	88
PID 2616 wrote to memory of 4036	2616	msedge.exe	89
PID 2616 wrote to memory of 4036	2616	msedge.exe	89
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91
PID 2616 wrote to memory of 3648	2616	msedge.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://we.tl/t-ZRlwhHea1p
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://we.tl/t-ZRlwhHea1p
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe996846f8,0x7ffe99684708,0x7ffe99684718
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7784 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8028 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf4,0x110,0x10c,0xd0,0x104,0x7ff6fd9a5460,0x7ff6fd9a5470,0x7ff6fd9a5480
    3⤵
    PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Users\Admin\Downloads\slam ransomware builder installer.exe
  "C:\Users\Admin\Downloads\slam ransomware builder installer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit
    3⤵
    PID:5936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM slam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit
    3⤵
    PID:6140
  - - C:\slam_ransomware_builder\start.exe
      C:\slam_ransomware_builder\start.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3885.tmp\start.bat" C:\slam_ransomware_builder\start.exe"
        5⤵
        
        PID:5224
      - C:\slam_ransomware_builder\slam.exe
        
        slam.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        7⤵
        
        PID:4692
        
        C:\slam_ransomware_builder\MSBuild.exe
        
        MSBuild.exe ConsoleApp2\ConsoleApp2.sln
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpc928a920ec5c462ebce5a3e6b806539d.rsp"
        9⤵
        
        PID:5076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2788.tmp" "c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\CSCE04AD3F9BD246B3914DFFED5810C5FB.TMP"
        10⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        7⤵
        
        PID:6048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:Decrypter.exe src.cs /win32manifest:App.config
        8⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B32.tmp" "c:\slam_ransomware_builder\CSC38488CCC2EB444A39A919A66EB11DBCB.TMP"
        9⤵
        
        PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3172 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4031792392005124419,13999748989070560355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7840 /prefetch:8
  2⤵
  PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3492

C:\slam_ransomware_builder\test.exe
"C:\slam_ransomware_builder\test.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentBrowser*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecDiveciMediaService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecJobEngine*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecManagementService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM vss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM svc$*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM memtas*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM backup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxVss*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxBlr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxFWD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCVD*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM GxCIMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM DefWatch*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM ccEvtMgr*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM SavRoam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM RTVscan*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBFCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Intuit.QuickBooks.FCS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooBackup*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM YooIT*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM zhudongfangyu*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM sophos*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM stc_raw_agent*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VSNAPVSS*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM QBCFMonitorService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamTransportSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamDeploymentService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM VeeamNFSSvc*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM PDVFSService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecVSSProvider*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecAgentAccelerator*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM BackupExecRPCService*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcrSch2Svc*
    3⤵
    - Kills process with taskkill
    PID:5612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM AcronisAgent*
    3⤵
    - Kills process with taskkill
    PID:5172
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:5968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3885.tmp\start.bat

Filesize
96B

MD5
2615bf9ed6d2e854c0602ef8fdd787df

SHA1
4e0682a961ee43b9ddce5b3c03c83945d7d0cc40

SHA256
a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493

SHA512
24ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c

Download Submit
C:\Users\Admin\Downloads\slam ransomware builder installer.exe

Filesize
39.2MB

MD5
f1904cfa100a3bc813a6f8146fe13450

SHA1
833bb8d25e117dec528fe694e70fce625241b653

SHA256
a5e5dd470216db136c61f8e5e85c80dc6cc2dcf76ecc456dd2654b4e12bebf59

SHA512
599181828c24f92e78de85b6a5db3dd15e4a02ed7b8215737b600bb44c416c03ee14d8dce0fc22a3ec7d016fc0c315a2e104f1a73e8ec59adb69e3b568cdc7ca

Download Submit
C:\Users\Admin\Downloads\slam ransomware builder installer.exe

Filesize
39.2MB

MD5
f1904cfa100a3bc813a6f8146fe13450

SHA1
833bb8d25e117dec528fe694e70fce625241b653

SHA256
a5e5dd470216db136c61f8e5e85c80dc6cc2dcf76ecc456dd2654b4e12bebf59

SHA512
599181828c24f92e78de85b6a5db3dd15e4a02ed7b8215737b600bb44c416c03ee14d8dce0fc22a3ec7d016fc0c315a2e104f1a73e8ec59adb69e3b568cdc7ca

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2.sln

Filesize
1KB

MD5
d9867f790d17d19dd919ba90ed1576c8

SHA1
483299a1e62f1a6593151cb7891406962f0f6f5f

SHA256
3d22c8efce70229c9fe6b4f6c7db5e6aed86b13bdfa062cb6a7dc4924b6ce2d6

SHA512
01dbe0c98d261962d7ef1bb1365a64fece3f20b1a5cead954ec0a2a79713272c51001ecd11de34fbbc53d783263e3dadb6974f933987b33cb67693df48a15f76

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\1.ico

Filesize
66KB

MD5
889e8ff9455bb4837f91ff644dcf2b82

SHA1
6bc850368a6444885e59d368ab5774cedb6792e2

SHA256
56ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51

SHA512
771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\App.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\ConsoleApp2.csproj

Filesize
3KB

MD5
10fde86ad04c13c1504c2b35b1e13d3b

SHA1
a13001bdaca14977bbb7522544f3d5f6f38ba759

SHA256
c5cd177d7580c2d3cd6445d719269478dc1f575911ac1dedfdb2dab57c1f1dcb

SHA512
81ad4bb9564bd775f8d35e2554b32e8a15894d446d885a67608fd5aaf36c1a2191f2b47623776b5941fc9de1cff5c8079433bd42814b5446393f9d6c4b138239

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
569B

MD5
6ae5c2395170e2d6d29d4f1e95e676e6

SHA1
533905ab44c6c68b58212f62202549646e23f2f6

SHA256
c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f

SHA512
492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\Resources.resx

Filesize
6KB

MD5
a73549f32d077a8c19bcaafe5dc34c13

SHA1
e148e987ee299d88bdddd83107661584366536b5

SHA256
8aa81e098cfe66b5b30ebaef4aea19d22d229138ab19059f7cbd7feff04fec56

SHA512
4b009bdcba0d07965a8d0658da9cd28b5730b89731b3030cd81f74dc989fc0bf6df7141ec4935166b0516f0f1f3ec85becdc98cdeb7b6fc1d5088f8368692f56

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\Newtonsoft.Json.dl

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Resources\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

Filesize
214B

MD5
896ab120ac6b6af2895fdb71c452b9d3

SHA1
eb545ccd7a1bafcdf31ad0f32c09ac505744aa39

SHA256
621199557e90fb1661e401cc9a973163c850b4b7e65bbc8d100f67f6699eef70

SHA512
834f53444444cee5c348da44674a2b8e6ce51f21a7565a23629001a5c535533c78a4dff8663176d982bab24f0dd272868cfc5c2fadeccc9b97a14f6946766dee

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\ConsoleApp2.csproj.AssemblyReference.cache

Filesize
9KB

MD5
f95571aba36661a497553a04bd470ce0

SHA1
10a7917eb303c620b9bbfd549eb20dfc1516932c

SHA256
202f72d03579fbf9f65535a0299078f1e56355ac1bd82f7a49eb83429599c0ba

SHA512
758e3eddbacec89f4c6bebdeb0754cc18f414885740992187d49d47ca07f30318eaccc0a6e3d4625afe580b2877d37c9e2768af92065bcc288c0d72cc46f37b4

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\obj\Debug\DesignTimeResolveAssemblyReferencesInput.cache

Filesize
8KB

MD5
73b6fc93329bc76c8769664f37a38713

SHA1
826735c744989d0f03d733ccbb6f1c0944be1eea

SHA256
7da3e39b3f6a792f6dc37dfb2f678b7c603ba0ba520bee73e7011b14117c1806

SHA512
a2e3884c992acace66264958e8aefc55b1d1f504fe30627881db6573a9254bce971164b83144c0ff92e11bfe1ff41ce62ad0a695f9ccaa9eb6952f27b96a2644

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\Figgle.dll

Filesize
473KB

MD5
7c89d3e9baf0648fb767a70e0eacc35c

SHA1
6558308ec9d4be79b001c03030401c0e3c9701bc

SHA256
ba6a8965961f80013100f0aa804565edfec035b141cc4484a60b658a1b858dd9

SHA512
00b62dea3d4b4dd60ef307121acf1357e418b3de69b85b8ccb0f74dbb28c357a8dd410020ef325dba5c8bab8c2eac41234686a8e4fdee24063734f3f860ee7d2

Download Submit
C:\slam_ransomware_builder\MSBuild.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\slam_ransomware_builder\MSBuild.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\slam_ransomware_builder\fonts\big.flf

Filesize
28KB

MD5
53d797b00ba6bb56ba3c804afedabc2f

SHA1
9cccecd73d7767aef0f83ebbe8efb097cde612e2

SHA256
931beae4b5b7a6a0fff63a6a0b80a974f94bd7e723a3a506bebb45095dc384a1

SHA512
aa7d91210e653d807898fe385e018353e4602666171c77b5f2c12e7b5aaf98f62809401c0165372dd7b41a80c6f1f13df6072c245b6b2340a30215425c0c5d32

Download Submit
C:\slam_ransomware_builder\slam ransomware builder.exe

Filesize
1.6MB

MD5
04096ebe5f1da9430a6c98aceb4ca99a

SHA1
40a0a027eda6ebb90a51a42685fed896f686c728

SHA256
845a571de434a4f73b71ff0e6d50521095bf1da5d51d3d0d8397d07d374af3b2

SHA512
44ce2c37074a7ef495ff9f906bd81ea1f13a5640d3af1020c9b5e449515d31c210f7e8a41d896de47c3b4dbfe50301ac5482886c9f383a66abb5f541c5695da8

Download Submit
C:\slam_ransomware_builder\slam.exe

Filesize
1.6MB

MD5
04096ebe5f1da9430a6c98aceb4ca99a

SHA1
40a0a027eda6ebb90a51a42685fed896f686c728

SHA256
845a571de434a4f73b71ff0e6d50521095bf1da5d51d3d0d8397d07d374af3b2

SHA512
44ce2c37074a7ef495ff9f906bd81ea1f13a5640d3af1020c9b5e449515d31c210f7e8a41d896de47c3b4dbfe50301ac5482886c9f383a66abb5f541c5695da8

Download Submit
C:\slam_ransomware_builder\start.exe

Filesize
46KB

MD5
f7b1a64333ab633f980b702723fb7cba

SHA1
e7e04a69a84c5a9e7d0901eb00face35457a0df1

SHA256
e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2

SHA512
666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad

Download Submit
C:\slam_ransomware_builder\start.exe

Filesize
46KB

MD5
f7b1a64333ab633f980b702723fb7cba

SHA1
e7e04a69a84c5a9e7d0901eb00face35457a0df1

SHA256
e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2

SHA512
666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad

Download Submit
C:\slam_ransomware_builder\uac\ConsoleApp2\1.ico

Filesize
66KB

MD5
889e8ff9455bb4837f91ff644dcf2b82

SHA1
6bc850368a6444885e59d368ab5774cedb6792e2

SHA256
56ee941f7f4fcf1e050be3544ad73cfe7a061f288a3af4960632b0fcced94d51

SHA512
771af6b48883b408d45c952380ede6ab466efb776360af6bda5c0530332876d62b127803e4e4cef7e68dc64f829603cb939dbdc2d8cafe3d08dc954b796f2fa4

Download Submit
C:\slam_ransomware_builder\uac\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
556B

MD5
a08e9477bcf35558054417f16a5f5617

SHA1
5853ada9553643a039b1b56324f0c95226179c44

SHA256
7ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2

SHA512
2f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2

Download Submit
C:\slam_ransomware_builder\wallpaper.jpg.SLAM

Filesize
122KB

MD5
f83cd0592ef46ff26c4b81f3ebbeec1c

SHA1
9a99d054675e7fa659188e1057a271b4b59c6e78

SHA256
2c070169ac950517fd5e828e309fb0e27ad24cfc94dfbc2c3de5f6a9adbc8d7b

SHA512
6c3576a275fb7da04c982682999ebaed346af757e88f2b5d12cc1ecaf3bb9639a458a2e207f69d5fa04dd03272e831d1c07e0a7c46beb28c2a51ef93425b2df9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\.NETFramework,Version=v4.7.2.AssemblyAttributes.cs

Filesize
194B

MD5
60e83364aba7437f89860f4fed9b0ca6

SHA1
a346530400ddfb4e709aac20d1201ce2047adae5

SHA256
0c2eadb59d40b199250a3c2e0c3119180c9f0c00e069bf51bb7bb39c9b2eeefb

SHA512
295f9ecd2034cc9cc6c23375f0827decc382d2fec17848e210261edd6561ef7ac5737f7ace00b981885c500ffa31f61a69e620bc9312cb27fd9718aab30be591

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmpc928a920ec5c462ebce5a3e6b806539d.rsp

Filesize
2KB

MD5
084b15ba76ccc049427f797e87f1d4b5

SHA1
36bbe125b2c52f4c530113e75847e30f8e48cae6

SHA256
bc92718bfbe5317d76cb52030c8793c7a457e5a6bc5eb7e5b44725c352f30d39

SHA512
5e8024d57cea611ec235bee73daa7942c5a209273041529824e96b903b2ea0ea4938ae63954b9732525d7d3d7f705823dae31c46e91ca464a2a934af440db9b7

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\CenterScreen.cs

Filesize
1KB

MD5
f031292fd99d65f3a9f2bc533bd90014

SHA1
65b8a430785cf82853d347ffd8619b268a7f84c4

SHA256
f7b7df68d57eaa80fdeb055c522eaa47a6f41d962e1e3a50343ea36fda3bd80f

SHA512
7357dfe0f5a9536a926e87cdc860e06eaa724e518e65ce9e33d265e69ff5b82eb8d42b759df32a83052f453ed623c1481c8ff06075b19d24f56394f54e3b8948

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Program.cs

Filesize
58KB

MD5
af9d810ac1d17d8ce39a0108d57d78f1

SHA1
d7d795bfee7418690d634b2423aa096a1a3fbb58

SHA256
54b3a4f7694bdeddd1e10c95db7de54d4ee21dd6daf4f62e10a87d08b36fc0d0

SHA512
ae84d87c1235812fda6777c6092844905d1d830e06df8274e341d401c4de1cd4b41c40a2a62cc0fa1d97de2d1f331b48672a601d19f1af6bf891e0387ef1dc9e

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
569B

MD5
6ae5c2395170e2d6d29d4f1e95e676e6

SHA1
533905ab44c6c68b58212f62202549646e23f2f6

SHA256
c12e04bcf0c4bd14dcbb50cc96416c77080ffc4bac7fb784d462ee6d6d163d6f

SHA512
492b0f4e8d4783194438f6be9d432bc008b7d72a31dbaf9aca5714e276ee13f8310408f379f165ec4ac63eb59404899c772f471a48a785ad8fd79c1cd9bfc80e

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\Resources.Designer.cs

Filesize
3KB

MD5
a18c2165eca83b60b14010fddb2dab12

SHA1
99f56e0e02b2f12d2ba96380b8410977cec61a42

SHA256
aebf224697035142a1448fb6653cf3c85fb23fa92713ff6bc84c65bbc187040d

SHA512
58aadd355a0f89f6657acab51ac3dcb76ad037dcd05d7df375fc8f71981f02e9d7aff62b808ce26ba92f863df16099eefe722cda066aba2d03438270fcb55f48

Download Submit
\??\c:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\webhook.cs

Filesize
3KB

MD5
48328b99df8af9ae9f83f4eedda844c2

SHA1
7522860dacea9e8716c2dacfc8866f22abc23b5a

SHA256
67e69dd78f613b9775dbb1f7320e11a39f6bf7dae79d006a28ac5d5c91cef6f9

SHA512
137f27ee94332087ed02a884e623fa7a176cf78d16c3e93c77bc8cbba82aa3b949fab0d6201f78937eee922d3f0d0bc34ce9cc70aa61935c7b44415f8ca7e695

Download Submit
memory/1340-273-0x0000000000E90000-0x0000000000F7C000-memory.dmp

Filesize
944KB

Download
memory/3320-133-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3320-134-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3320-132-0x000001687DDF0000-0x000001687DE12000-memory.dmp

Filesize
136KB

Download
memory/4216-242-0x0000000006BE0000-0x00000000071DE000-memory.dmp

Filesize
6.0MB

Download
memory/4216-244-0x0000000006610000-0x0000000006638000-memory.dmp

Filesize
160KB

Download
memory/4216-230-0x00000000057E0000-0x000000000593A000-memory.dmp

Filesize
1.4MB

Download
memory/4216-233-0x0000000006300000-0x0000000006422000-memory.dmp

Filesize
1.1MB

Download
memory/4216-234-0x0000000006240000-0x0000000006284000-memory.dmp

Filesize
272KB

Download
memory/4216-229-0x0000000003210000-0x000000000322A000-memory.dmp

Filesize
104KB

Download
memory/4216-228-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/4216-237-0x0000000006A00000-0x0000000006F6C000-memory.dmp

Filesize
5.4MB

Download
memory/4216-241-0x0000000006550000-0x0000000006600000-memory.dmp

Filesize
704KB

Download
memory/4216-252-0x0000000006760000-0x00000000068DC000-memory.dmp

Filesize
1.5MB

Download
memory/4216-251-0x0000000006870000-0x0000000006AF6000-memory.dmp

Filesize
2.5MB

Download
memory/4216-250-0x0000000005DB0000-0x0000000005DE0000-memory.dmp

Filesize
192KB

Download
memory/4216-243-0x0000000006950000-0x0000000006CB6000-memory.dmp

Filesize
3.4MB

Download
memory/4216-245-0x0000000006600000-0x0000000006612000-memory.dmp

Filesize
72KB

Download
memory/4216-231-0x0000000005650000-0x0000000005680000-memory.dmp

Filesize
192KB

Download
memory/4216-246-0x0000000006660000-0x00000000066D6000-memory.dmp

Filesize
472KB

Download
memory/4216-248-0x0000000006E0C000-0x000000000700E000-memory.dmp

Filesize
2.0MB

Download
memory/5408-211-0x00000000093B0000-0x0000000009408000-memory.dmp

Filesize
352KB

Download
memory/5408-219-0x0000000009CC0000-0x0000000009D3C000-memory.dmp

Filesize
496KB

Download
memory/5408-199-0x00000000002D0000-0x0000000000470000-memory.dmp

Filesize
1.6MB

Download
memory/5408-200-0x0000000008540000-0x00000000085DC000-memory.dmp

Filesize
624KB

Download
memory/5408-201-0x0000000008E90000-0x0000000008EF6000-memory.dmp

Filesize
408KB

Download
memory/5628-177-0x00000000009B0000-0x00000000030F4000-memory.dmp

Filesize
39.3MB

Download
memory/5628-184-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/5628-185-0x0000000009B40000-0x0000000009B4A000-memory.dmp

Filesize
40KB

Download
memory/5628-188-0x000000000C440000-0x000000000C452000-memory.dmp

Filesize
72KB

Download
memory/5628-182-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download
memory/5628-183-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download