Analysis
-
max time kernel
50s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-03-2022 23:12
Static task
static1
Behavioral task
behavioral1
Sample
Taleb.Ransom.exe
Resource
win10v2004-en-20220113
General
-
Target
Taleb.Ransom.exe
-
Size
10.8MB
-
MD5
ac09b7550eda13e03a55448fd8367e2d
-
SHA1
8266a12669a4a3952cb9af86e75ed74c27c71013
-
SHA256
4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
-
SHA512
44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\OutCheckpoint.tiff Taleb.Ransom.exe -
Drops startup file 1 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Taleb.Ransom.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\desktop.ini Taleb.Ransom.exe File created C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini Taleb.Ransom.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Cookies\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Taleb.Ransom.exe File created C:\Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini Taleb.Ransom.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 1 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe Taleb.Ransom.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-400.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-400_contrast-white.png Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-125_contrast-black.png Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Fingerprinting Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-black.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt_map.dll Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleProfileAvatars.png Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Light.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es.pak.DATA.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\deploy.dll.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White@3x.png Taleb.Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-400.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialSticker.mp4 Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-100.png Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe Taleb.Ransom.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll.(MJ-GL6271085349)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200_contrast-black.png Taleb.Ransom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-lightunplated.png Taleb.Ransom.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-200.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt Taleb.Ransom.exe -
Drops file in Windows directory 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_es_31bf3856ad364e35\System.Management.Automation.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\INF\c_multiportserial.inf Taleb.Ransom.exe File opened for modification C:\Windows\INF\dshowext.inf Taleb.Ransom.exe File opened for modification C:\Windows\INF\fdc.inf Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Runtime.DurableInstancing.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\sk-SK_BitLockerToGo.exe.mui Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\Device\DiagPackage.diagpkg Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\INF\c_firmware.inf Taleb.Ransom.exe File opened for modification C:\Windows\INF\smrvolume.inf Taleb.Ransom.exe File opened for modification C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0410\PerfCounters_d.ini Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Utility.Activities.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.dll Taleb.Ransom.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\Read Me.url Taleb.Ransom.exe File opened for modification C:\Windows\Boot\EFI\boot.stl Taleb.Ransom.exe File opened for modification C:\Windows\Cursors\aero_helpsel_xl.cur Taleb.Ransom.exe File opened for modification C:\Windows\Cursors\pin_l.cur Taleb.Ransom.exe File opened for modification C:\Windows\Cursors\pin_rm.cur Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\8514fixt.fon Taleb.Ransom.exe File opened for modification C:\Windows\INF\TermService\0410\tslabels.ini Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\index\BluetoothDiagnostic.xml Taleb.Ransom.exe File opened for modification C:\Windows\Help\mui\0407\odbcjet.chm Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\System.Configuration.Install.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll Taleb.Ransom.exe File opened for modification C:\Windows\INF\netl160a.inf Taleb.Ransom.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\UKRAINE.TXT Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\PresentationCore.ni.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\Audio\de-DE\DiagPackage.dll.mui Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Transactions.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Boot\EFI\kd_0C_8086.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\BITS\RS_BITSRegKeys.ps1 Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\Keyboard\fr-FR\DiagPackage.dll.mui Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\en-US\CL_LocalizationData.psd1 Taleb.Ransom.exe File opened for modification C:\Windows\INF\idtsec.inf Taleb.Ransom.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.RegularExpressions.dll Taleb.Ransom.exe File opened for modification C:\Windows\IME\IMEJP\help\IMJPCLE.CHM Taleb.Ransom.exe File opened for modification C:\Windows\INF\c_ports.inf Taleb.Ransom.exe File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7} Taleb.Ransom.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86 Taleb.Ransom.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\appcenter_r.aapp Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\System.Deployment.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml Taleb.Ransom.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.contrast-black_scale-125.png Taleb.Ransom.exe File opened for modification C:\Windows\INF\wvmic_ext.inf Taleb.Ransom.exe File opened for modification C:\Windows\Media\Windows User Account Control.wav Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.Web.DataVisualization.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\it-IT\CL_LocalizationData.psd1 Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\courer.fon Taleb.Ransom.exe File opened for modification C:\Windows\ImmersiveControlPanel\Telemetry.Common.dll Taleb.Ransom.exe File opened for modification C:\Windows\INF\c_pcmcia.inf Taleb.Ransom.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_gb.t Taleb.Ransom.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\065c68c5df73d6d3fe1af0c906703dcf\System.ServiceProcess.ni.dll.aux Taleb.Ransom.exe File opened for modification C:\Windows\INF\MSDTC Bridge 4.0.0.0\_TransactionBridgePerfCounters.h Taleb.Ransom.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4392 3024 WerFault.exe 4024 260 WerFault.exe SearchApp.exe 4796 3800 WerFault.exe SearchApp.exe 1840 3800 WerFault.exe SearchApp.exe -
NTFS ADS 23 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:腰Ļ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\藰Ļsk8:蔘Ļ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:蜐Ļ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Pictures\쥨ŀcr:<蚀Ļ\烘Ļ承眤RT澠Ļ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\{A:<큐ɵ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:藰Ļ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Videos\Mi:<蹠Ļ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Music\Mi:<품ɵ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:᪐ĺ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\{A:<旰ɸ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Music\Mi:<蹠Ļ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\鄐ŀC7:<펰ɵ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Pictures\Mi:<품ɵ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\舀Ļsk8:苠Ķ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:苠Ķ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\ᬠĺsk8:ᨀĺ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Pictures\Mi:<蹠Ļ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Music\쥨ŀcr:<蚀Ļ\Ķ承眤LNꇠĻ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Videos\쥨ŀcr:<蚀Ļ\律Ķ承眤NPꍀĻ Taleb.Ransom.exe File opened for modification C:\Users\Default\Documents\My Videos\Mi:<품ɵ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\쪨ŀC7:<豨Ļ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\았ŀC7:<耈Ļ Taleb.Ransom.exe File opened for modification C:\Users\All Users\Desktop\Setup\{A:<昸ɸ Taleb.Ransom.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Taleb.Ransom.exepid process 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe 1704 Taleb.Ransom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Taleb.Ransom.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exedescription pid process target process PID 1704 wrote to memory of 2580 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 2580 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 2580 1704 Taleb.Ransom.exe cmd.exe PID 2580 wrote to memory of 3828 2580 cmd.exe net.exe PID 2580 wrote to memory of 3828 2580 cmd.exe net.exe PID 2580 wrote to memory of 3828 2580 cmd.exe net.exe PID 3828 wrote to memory of 3260 3828 net.exe net1.exe PID 3828 wrote to memory of 3260 3828 net.exe net1.exe PID 3828 wrote to memory of 3260 3828 net.exe net1.exe PID 1704 wrote to memory of 4996 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4996 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4996 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4088 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4088 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4088 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 768 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 768 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 768 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1468 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1468 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1468 1704 Taleb.Ransom.exe cmd.exe PID 1468 wrote to memory of 4612 1468 cmd.exe net.exe PID 1468 wrote to memory of 4612 1468 cmd.exe net.exe PID 1468 wrote to memory of 4612 1468 cmd.exe net.exe PID 4612 wrote to memory of 2692 4612 net.exe net1.exe PID 4612 wrote to memory of 2692 4612 net.exe net1.exe PID 4612 wrote to memory of 2692 4612 net.exe net1.exe PID 1704 wrote to memory of 1884 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1884 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1884 1704 Taleb.Ransom.exe cmd.exe PID 1884 wrote to memory of 2196 1884 cmd.exe net.exe PID 1884 wrote to memory of 2196 1884 cmd.exe net.exe PID 1884 wrote to memory of 2196 1884 cmd.exe net.exe PID 2196 wrote to memory of 2308 2196 net.exe net1.exe PID 2196 wrote to memory of 2308 2196 net.exe net1.exe PID 2196 wrote to memory of 2308 2196 net.exe net1.exe PID 1704 wrote to memory of 2624 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 2624 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 2624 1704 Taleb.Ransom.exe cmd.exe PID 2624 wrote to memory of 2376 2624 cmd.exe net.exe PID 2624 wrote to memory of 2376 2624 cmd.exe net.exe PID 2624 wrote to memory of 2376 2624 cmd.exe net.exe PID 2376 wrote to memory of 4300 2376 net.exe net1.exe PID 2376 wrote to memory of 4300 2376 net.exe net1.exe PID 2376 wrote to memory of 4300 2376 net.exe net1.exe PID 1704 wrote to memory of 4244 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4244 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4244 1704 Taleb.Ransom.exe cmd.exe PID 4244 wrote to memory of 4060 4244 cmd.exe netsh.exe PID 4244 wrote to memory of 4060 4244 cmd.exe netsh.exe PID 4244 wrote to memory of 4060 4244 cmd.exe netsh.exe PID 1704 wrote to memory of 4736 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4736 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 4736 1704 Taleb.Ransom.exe cmd.exe PID 4736 wrote to memory of 1420 4736 cmd.exe netsh.exe PID 4736 wrote to memory of 1420 4736 cmd.exe netsh.exe PID 4736 wrote to memory of 1420 4736 cmd.exe netsh.exe PID 1704 wrote to memory of 1876 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1876 1704 Taleb.Ransom.exe cmd.exe PID 1704 wrote to memory of 1876 1704 Taleb.Ransom.exe cmd.exe PID 1876 wrote to memory of 4156 1876 cmd.exe net.exe PID 1876 wrote to memory of 4156 1876 cmd.exe net.exe PID 1876 wrote to memory of 4156 1876 cmd.exe net.exe PID 4156 wrote to memory of 3468 4156 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3024 -ip 30241⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3024 -s 35121⤵
- Program crash
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 260 -s 43882⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 260 -ip 2601⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 32402⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 32402⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 3800 -ip 38001⤵
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv g9ZCCWuZ6Uy/TtqUQ/6RDA.01⤵
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\55b3e50313b342ab9ec1ad5e6d8b8b85 /t 3224 /p 3800 47961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
eb9ac9c5288452d88125defb3eb255a4
SHA102823aff2e56959e2981b11cca7cc94702247058
SHA2566ff6a6f1690a1f907ba939c0ba03df6664d00e6f92e333c98d74d42846c3c098
SHA512f2330c56c213e451bffc23cb59e21bb8d2dfecd77a94bc251af779806c5c6151aacd784b63b5c21a68d5ceb5558fd2a9a97b2e5ac7f4f677285ff74ca28c748c
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
0fd105c8d3976035dd91489d203c6e40
SHA1b5ba687dedbfec08bf27b5a76f0502bffbeaf14b
SHA256fa11a6a522545f6930dbc9d2c9e399c57f869c2e2d555b30b36f47cf1eb0338c
SHA512e2d746179368646d8e13f1460c02918c312f39d2dbf0b2aafaf1b45417d72bf6214015c0ca9f54a2e95fb13a3acae74d71d2d47b0931245fdc9a94ee0a97aa2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
e336c1aa1286cc67bba93a7f15b7c868
SHA184707ec5491931e42d0d46e437a6df4c44f7dd8a
SHA2562f32567d28a746360823b447754b2b3113dc9b44b34a514feeab1882ede4a69e
SHA512ab29bf2d2f1fa26497ffa938650e60bfeb69e926c7fa865f71931bc818c4c21ba2c423fcf48eb510c1fce6701e20f6f61e9abf9d2d2ebc935fd28725df9ef89c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\2KtaRlE2T-3Ka6lY0tZmJymDTbI.br[1].jsMD5
82ef77c6e17ea148f8f4fe8e90605243
SHA1daa8f0522deb7e6821981a8b4d9ce8a848cfa011
SHA2568c91b11e5cd6d848e6f6bcb98fcbc196975d6940a369601f813f734b3eff5baf
SHA512bba6f8126462c897bea22f74fb8f7e297266ddf52114aaf65f1e33e9f20f547a878e45023c7fdf5b54488342a78a36f2c1fa0f44aa63b7e03a3744ad6ccc2f54
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\onra7PQl9o5bYT2lASI1BE4DDEs[1].cssMD5
d167f317b3da20c8cb7f24e078e0358a
SHA1d44ed3ec2cde263c53a1ba3c94b402410a636c5f
SHA256be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad
SHA512afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\skw3l0TgcFrjj1cp1h8JBca96sY.br[1].jsMD5
581c936e1eec854f9b2724b0b4660cee
SHA1c5e29de11572ef7f421784ce3486824f8c208a6c
SHA2563e1c601edf28f103e09d91e201475346206614f988f09324122f8c726d533d03
SHA5122b2692969afb8243b4eebeb264acf2a5f9c47709f5bad29239fb9768d65f2012932f2eeb60ff8192fc0c141a71b03ab3d72181a0c272ae28b8c14eebd779fa05
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\7Y7GIdHwvb_FHuCBnybcAmLO7GY.br[1].jsMD5
90d86fb0a928bb7c9a01d80461d47ece
SHA16a99eab11457b7a260116fee80e159e415cc5c8f
SHA25657d8d759bd33872fbe7f8befb4c78215d2a7530d278ee683f6981ad5dd4a87d7
SHA512057d156845a8be99d048c02a98138baa68a2e3947bea8b3881570986925cd98010227549f6de58c9c9581d55c5ec5cb50297638baab21cbea85ce723c65f5487
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\Q_Il7chHPMYT2eCRltgjWoFBVCM.br[1].jsMD5
216f829b14a19d49ea0eb603dc20e488
SHA1a7c3a29beba72db8184c4f6ed83f15e5ce4e7e12
SHA2560ad101b5900ce2930cc6667b23ac31e20a0a303baaca1b0cc3b26ce47b4859fa
SHA5124df3bc3d2faf7fbb556d9578c4544efaa39383c9bb97e36a6febabf2f401205da7f137c5a06521338060d78edda6c292912eeb9dafc25dc80d2f15694c17ec92
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\U006EeMfq1iK7IAAM8DJcfY519o[1].cssMD5
17d579f86147ac3b11056da41a9d5e89
SHA1a2b67ea1edfaa6591541d9169bdd0b91efa1efbb
SHA256b0595825dff390fcf05e06dd2d9e52a8fd1f0fba04c53a56fd38b0faedaf1fdb
SHA512f54c5ec8ee0d5544589880bdce0a7ac3858bab338c75231d39a13c6df1ddfbfa8868645822380fceb65c265ab85415786c9fd6a16710c2580a627f14220d702e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\_l3DVy25sXN8ng62gqnfnQBYJYw.br[1].jsMD5
4e32f497c5f67b97d2abe445987c4185
SHA1bf917079aa4307f972eae3a1e2bd0564efa4ac27
SHA256c147eb197b363608f64a6641951f8a47c15a788302a32691862e40cc91b04424
SHA512a32e65fc301d913cde891708c69de328cb58a716264d1097b0e71ab0ed177bec254d75a4093a27b994eb5df402d48c4ccde742f3ca5ce2d52ab21807db055bdb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\o3B8xuieIQmkMJPWlwYh5DxkeP8[1].jsMD5
31cefcb444a0695172432c919034ec51
SHA13b20547c24f5409f010e4e8212c29bdd35517c2f
SHA256d93cf40ccb66e1a745c64a9173db1bcdf5486ad926048a435e8a56dce2206d34
SHA512a1e06154d12f2fd2d7e731dd06394b29135a16c56b0551b8e539617e82a800982aa1839ad947dabdb9e672c5f24688f22ebd60c989ed67b2cc53f3bf6d6a97cc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\MEzdwlE2xiDDSN5OAHo-0SlFLUo[1].cssMD5
c8c5a113a6a3f8dff5d12e7415ceb05f
SHA1603632354b0b93e93ad604de078bdf2638c05365
SHA256b73cef51ff5a9c8675d15f6535213fdffea54d253c227d8a99ccb3ad7f009b00
SHA512312d25236f28dc62b215917a1842cde4b235343b38b1788808c23e751bee9d0cf8c0f1d2bbdb6b43684b34014afb20c9c04373c62cf11364b183fdba001a8195
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\O1l_m38HiTRZRFSw38qlt64VPAw.br[1].jsMD5
f53dd0dd5b313798d35da8c74eb7d94b
SHA1439d88351b215fc98d5b8d4f7015ced29405af05
SHA256c180cf18d39928ee2db2040e0453cc0b60e6246421875aa501f141537c0acf21
SHA512daa72e171f5c41f3bffec45cdc261751734e222d58155f106e038c9e022d511ee2630fedbe9302f0d9b7142a4957fed68a2e7d49d2729c513fe52b39815ec129
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\QzzWO8WNEVeuGs6-1Sv6FbuwNoI.br[1].jsMD5
c67ad2232a0d1d0b2d640075b5e014a9
SHA1349733d854c9a1e5d35334588f9ac1a28a81b0b9
SHA256bd1ecaf6e5f0681930758486beeb6c134ed2e0c79e0efa8fd005becec6aed04b
SHA5127aee7abd96b21faf9106e72643227e24fed0c089039b028ea37688dbea57b00c297865cd82270f45484b98ce11ae0de76781713bcc1c99e74838da488abf32f4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\5C6Y35wFCJ-8USK_QYy6-0Tpjxo.br[1].jsMD5
8b2d92541a7744a334ad6a2471b37f1f
SHA1626291635bfe9e55156313fba19b461e239e7ab2
SHA256c6a8ff887000a5ddd53cd69f559329d0e1b4742d22929efbad1f741f9fe28dc8
SHA512551124075d59fd3a66dbc3feba7b458e003133c3cecf0e85bcc92c069fa4efb806248cffa24dd619b90b88c1aa203b7cd33e50bcad7ac2edae4a2c3ae67a05c1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].cssMD5
77373397a17bd1987dfca2e68d022ecf
SHA11294758879506eff3a54aac8d2b59df17b831978
SHA256a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13
SHA512a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\_6kcejpIrJTtxudclBiss_A-0_g[1].cssMD5
5fa42803ad27f35eef70ccfb471435d5
SHA1fe74ed39acfc0e18885dbf1c61b04d87e44bdeb6
SHA256f611daf8888d818ab050660b581cf108816c7141f2f8d3fbff3deb7b3448c1b4
SHA5126ad4793ae7834d9fc019f2df535a58e34fd8da2cf9d280770003690777d13ade78a3065af4a7f8fcdf8e80b880c0f9f39ea42a65a8924e2a64fed102116a13d9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\yZOHjNAWOKsDHcLtW3zFb_T4Q-8.br[1].jsMD5
0aa78ca3869d05ed1fec567cadcc304b
SHA1e1c98304d16093b2d72b31e135ae63f1e44a215f
SHA2561213304ea13c0aef11a5cd91b7b7372ce6b9dd1f8afcfbfdb932524431d12eba
SHA512320f10eeb72ca5206fbf2a9cf40b2b3d2a5b9f0526f073cb0cfde8a5a26a48cfc8d41ff023a2c41f2bc3c6ddbfe0004d75c18c53a2501d24ef904fc69b72a39c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3ZL5QLBD\www.bing[1].xmlMD5
ada190715b62346d15b547d960f7884e
SHA140daeb601f7b6135f2c594256341048ed6f06bec
SHA2566d6fee41f7e87c3d67bc7b1d9b05ef54c16af714d1074d12acc60396e7ada55e
SHA512a8f627077438d73879aca90c78ebe66b6f60ce12591b8c36ae8ab68ab4d0a7d2320e994fe80e24828cc3ffbdef27889eb2b183aef7814d2d647ff18663b9961f