4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf

Resubmissions

25/03/2022, 06:59

220325-hsddnafgel 10

08/03/2022, 23:12

220308-263p9abfb4 8

Analysis

max time kernel
50s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08/03/2022, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Taleb.Ransom.exe
Size

10.8MB
MD5

ac09b7550eda13e03a55448fd8367e2d
SHA1

8266a12669a4a3952cb9af86e75ed74c27c71013
SHA256

4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
SHA512

44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29

Score

8^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\OutCheckpoint.tiff	Taleb.Ransom.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Taleb.Ransom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	Taleb.Ransom.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Taleb.Ransom.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Taleb.Ransom.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-400.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-400_contrast-white.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-125_contrast-black.png	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Fingerprinting	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-black.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt_map.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleProfileAvatars.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Light.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es.pak.DATA.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\deploy.dll.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Taleb.Ransom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-400.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialSticker.mp4	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-100.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll.(MJ-GL6271085349)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200_contrast-black.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-lightunplated.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-200.png	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js	Taleb.Ransom.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	Taleb.Ransom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_es_31bf3856ad364e35\System.Management.Automation.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\c_multiportserial.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\dshowext.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\fdc.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Runtime.DurableInstancing.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\sk-SK_BitLockerToGo.exe.mui	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\Device\DiagPackage.diagpkg	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\c_firmware.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\smrvolume.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0410\PerfCounters_d.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Utility.Activities.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\Read Me.url	Taleb.Ransom.exe
File opened for modification	C:\Windows\Boot\EFI\boot.stl	Taleb.Ransom.exe
File opened for modification	C:\Windows\Cursors\aero_helpsel_xl.cur	Taleb.Ransom.exe
File opened for modification	C:\Windows\Cursors\pin_l.cur	Taleb.Ransom.exe
File opened for modification	C:\Windows\Cursors\pin_rm.cur	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\8514fixt.fon	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\TermService\0410\tslabels.ini	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\index\BluetoothDiagnostic.xml	Taleb.Ransom.exe
File opened for modification	C:\Windows\Help\mui\0407\odbcjet.chm	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Configuration.Install.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\netl160a.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\UKRAINE.TXT	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\PresentationCore.ni.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\de-DE\DiagPackage.dll.mui	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Transactions.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Boot\EFI\kd_0C_8086.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\RS_BITSRegKeys.ps1	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\fr-FR\DiagPackage.dll.mui	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\en-US\CL_LocalizationData.psd1	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\idtsec.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.RegularExpressions.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\IME\IMEJP\help\IMJPCLE.CHM	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\c_ports.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\appcenter_r.aapp	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Deployment.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml	Taleb.Ransom.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.contrast-black_scale-125.png	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\wvmic_ext.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Media\Windows User Account Control.wav	Taleb.Ransom.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.Web.DataVisualization.resources.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\it-IT\CL_LocalizationData.psd1	Taleb.Ransom.exe
File opened for modification	C:\Windows\Fonts\courer.fon	Taleb.Ransom.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Telemetry.Common.dll	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\c_pcmcia.inf	Taleb.Ransom.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_gb.t	Taleb.Ransom.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\065c68c5df73d6d3fe1af0c906703dcf\System.ServiceProcess.ni.dll.aux	Taleb.Ransom.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 4.0.0.0\_TransactionBridgePerfCounters.h	Taleb.Ransom.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4392	3024	WerFault.exe	55
4024	260	WerFault.exe	144
4796	3800	WerFault.exe	151
1840	3800	WerFault.exe	151

NTFS ADS 23 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:腰Ļ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\藰Ļsk8:蔘Ļ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:蜐Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\쥨ŀcr:<蚀Ļ\烘Ļ承眤RT澠Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<큐ɵ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:藰Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<蹠Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<품ɵ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:᪐ĺ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<旰ɸ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Music\Mi:<蹠Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\鄐ŀC7:<펰ɵ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<품ɵ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\舀Ļsk8:苠Ķ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:苠Ķ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\ᬠĺsk8:ᨀĺ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Pictures\Mi:<蹠Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Music\쥨ŀcr:<蚀Ļ\Ķ承眤LNꇠĻ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Videos\쥨ŀcr:<蚀Ļ\律Ķ承眤NPꍀĻ	Taleb.Ransom.exe
File opened for modification	C:\Users\Default\Documents\My Videos\Mi:<품ɵ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\쪨ŀC7:<豨Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\았ŀC7:<耈Ļ	Taleb.Ransom.exe
File opened for modification	C:\Users\All Users\Desktop\Setup\{A:<昸ɸ	Taleb.Ransom.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe
1704	Taleb.Ransom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2580	1704	Taleb.Ransom.exe	81
PID 1704 wrote to memory of 2580	1704	Taleb.Ransom.exe	81
PID 1704 wrote to memory of 2580	1704	Taleb.Ransom.exe	81
PID 2580 wrote to memory of 3828	2580	cmd.exe	83
PID 2580 wrote to memory of 3828	2580	cmd.exe	83
PID 2580 wrote to memory of 3828	2580	cmd.exe	83
PID 3828 wrote to memory of 3260	3828	net.exe	84
PID 3828 wrote to memory of 3260	3828	net.exe	84
PID 3828 wrote to memory of 3260	3828	net.exe	84
PID 1704 wrote to memory of 4996	1704	Taleb.Ransom.exe	85
PID 1704 wrote to memory of 4996	1704	Taleb.Ransom.exe	85
PID 1704 wrote to memory of 4996	1704	Taleb.Ransom.exe	85
PID 1704 wrote to memory of 4088	1704	Taleb.Ransom.exe	87
PID 1704 wrote to memory of 4088	1704	Taleb.Ransom.exe	87
PID 1704 wrote to memory of 4088	1704	Taleb.Ransom.exe	87
PID 1704 wrote to memory of 768	1704	Taleb.Ransom.exe	89
PID 1704 wrote to memory of 768	1704	Taleb.Ransom.exe	89
PID 1704 wrote to memory of 768	1704	Taleb.Ransom.exe	89
PID 1704 wrote to memory of 1468	1704	Taleb.Ransom.exe	91
PID 1704 wrote to memory of 1468	1704	Taleb.Ransom.exe	91
PID 1704 wrote to memory of 1468	1704	Taleb.Ransom.exe	91
PID 1468 wrote to memory of 4612	1468	cmd.exe	93
PID 1468 wrote to memory of 4612	1468	cmd.exe	93
PID 1468 wrote to memory of 4612	1468	cmd.exe	93
PID 4612 wrote to memory of 2692	4612	net.exe	94
PID 4612 wrote to memory of 2692	4612	net.exe	94
PID 4612 wrote to memory of 2692	4612	net.exe	94
PID 1704 wrote to memory of 1884	1704	Taleb.Ransom.exe	95
PID 1704 wrote to memory of 1884	1704	Taleb.Ransom.exe	95
PID 1704 wrote to memory of 1884	1704	Taleb.Ransom.exe	95
PID 1884 wrote to memory of 2196	1884	cmd.exe	97
PID 1884 wrote to memory of 2196	1884	cmd.exe	97
PID 1884 wrote to memory of 2196	1884	cmd.exe	97
PID 2196 wrote to memory of 2308	2196	net.exe	98
PID 2196 wrote to memory of 2308	2196	net.exe	98
PID 2196 wrote to memory of 2308	2196	net.exe	98
PID 1704 wrote to memory of 2624	1704	Taleb.Ransom.exe	99
PID 1704 wrote to memory of 2624	1704	Taleb.Ransom.exe	99
PID 1704 wrote to memory of 2624	1704	Taleb.Ransom.exe	99
PID 2624 wrote to memory of 2376	2624	cmd.exe	101
PID 2624 wrote to memory of 2376	2624	cmd.exe	101
PID 2624 wrote to memory of 2376	2624	cmd.exe	101
PID 2376 wrote to memory of 4300	2376	net.exe	102
PID 2376 wrote to memory of 4300	2376	net.exe	102
PID 2376 wrote to memory of 4300	2376	net.exe	102
PID 1704 wrote to memory of 4244	1704	Taleb.Ransom.exe	103
PID 1704 wrote to memory of 4244	1704	Taleb.Ransom.exe	103
PID 1704 wrote to memory of 4244	1704	Taleb.Ransom.exe	103
PID 4244 wrote to memory of 4060	4244	cmd.exe	105
PID 4244 wrote to memory of 4060	4244	cmd.exe	105
PID 4244 wrote to memory of 4060	4244	cmd.exe	105
PID 1704 wrote to memory of 4736	1704	Taleb.Ransom.exe	108
PID 1704 wrote to memory of 4736	1704	Taleb.Ransom.exe	108
PID 1704 wrote to memory of 4736	1704	Taleb.Ransom.exe	108
PID 4736 wrote to memory of 1420	4736	cmd.exe	110
PID 4736 wrote to memory of 1420	4736	cmd.exe	110
PID 4736 wrote to memory of 1420	4736	cmd.exe	110
PID 1704 wrote to memory of 1876	1704	Taleb.Ransom.exe	111
PID 1704 wrote to memory of 1876	1704	Taleb.Ransom.exe	111
PID 1704 wrote to memory of 1876	1704	Taleb.Ransom.exe	111
PID 1876 wrote to memory of 4156	1876	cmd.exe	113
PID 1876 wrote to memory of 4156	1876	cmd.exe	113
PID 1876 wrote to memory of 4156	1876	cmd.exe	113
PID 4156 wrote to memory of 3468	4156	net.exe	114

C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:4300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3024 -ip 3024
1⤵
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3024 -s 3512
1⤵
- Program crash
PID:4392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 260 -s 4388
  2⤵
  - Program crash
  PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 260 -ip 260
1⤵
PID:2752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3800 -s 3240
  2⤵
  - Program crash
  PID:4796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3800 -s 3240
  2⤵
  - Program crash
  PID:1840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 3800 -ip 3800
1⤵
PID:3116

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv g9ZCCWuZ6Uy/TtqUQ/6RDA.0
1⤵
PID:3500

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\55b3e50313b342ab9ec1ad5e6d8b8b85 /t 3224 /p 3800 4796
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...