Analysis
-
max time kernel
321s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
25-03-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
Taleb.Ransom.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Taleb.Ransom.exe
Resource
win10v2004-20220310-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Taleb.Ransom.exe
-
Size
10.8MB
-
MD5
ac09b7550eda13e03a55448fd8367e2d
-
SHA1
8266a12669a4a3952cb9af86e75ed74c27c71013
-
SHA256
4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
-
SHA512
44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29
Score
10/10
Malware Config
Extracted
Path
C:\Decryption-Guide.txt
Ransom Note
Your Files Are Has Been Locked
Your Files Has Been Encrypted with cryptography Algorithm
If You Need Your Files And They are Important to You, Dont be shy Send Me an Email
Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored
Make an Agreement on Price with me and Pay
Get Decryption Tool + RSA Key AND Instruction For Decryption Process
Attention:
1- Do Not Rename or Modify The Files (You May loose That file)
2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time )
3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files
4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened
Your Case ID :MJ-DT1743028965
OUR Email :Folperdock@gmail.com
Emails
Folperdock@gmail.com
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops desktop.ini file(s) 5 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2403053463-4052593947-3703345493-1000\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\desktop.ini Taleb.Ransom.exe File created C:\$Recycle.Bin\S-1-5-21-2403053463-4052593947-3703345493-1000\desktop.ini Taleb.Ransom.exe File created C:\Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Taleb.Ransom.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 70 api.my-ip.io 71 api.my-ip.io -
Drops file in Program Files directory 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll Taleb.Ransom.exe File created C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\gstreamer-lite.dll.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\lcms.dll.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiItalic.ttf.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV Taleb.Ransom.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sr.pak.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM Taleb.Ransom.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp120.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll Taleb.Ransom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll Taleb.Ransom.exe File created C:\Program Files\7-Zip\Lang\lij.txt.(MJ-DT1743028965)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml Taleb.Ransom.exe -
NTFS ADS 2 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Documents and Settings\S-1-5-21-2403053463-4052593947-3703345493-1000\̀sk8:䰐ÎȀ Taleb.Ransom.exe File opened for modification C:\Documents and Settings\S-1-5-21-2403053463-4052593947-3703345493-1000\̀sk8:䬸ÎȀ Taleb.Ransom.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Taleb.Ransom.exepid process 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe 3528 Taleb.Ransom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Taleb.Ransom.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exedescription pid process target process PID 3528 wrote to memory of 4224 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4224 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4224 3528 Taleb.Ransom.exe cmd.exe PID 4224 wrote to memory of 620 4224 cmd.exe net.exe PID 4224 wrote to memory of 620 4224 cmd.exe net.exe PID 4224 wrote to memory of 620 4224 cmd.exe net.exe PID 620 wrote to memory of 1248 620 net.exe net1.exe PID 620 wrote to memory of 1248 620 net.exe net1.exe PID 620 wrote to memory of 1248 620 net.exe net1.exe PID 3528 wrote to memory of 3288 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3288 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3288 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2264 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2264 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2264 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4592 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4592 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4592 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2340 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2340 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2340 3528 Taleb.Ransom.exe cmd.exe PID 2340 wrote to memory of 3868 2340 cmd.exe net.exe PID 2340 wrote to memory of 3868 2340 cmd.exe net.exe PID 2340 wrote to memory of 3868 2340 cmd.exe net.exe PID 3868 wrote to memory of 912 3868 net.exe net1.exe PID 3868 wrote to memory of 912 3868 net.exe net1.exe PID 3868 wrote to memory of 912 3868 net.exe net1.exe PID 3528 wrote to memory of 4804 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4804 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4804 3528 Taleb.Ransom.exe cmd.exe PID 4804 wrote to memory of 1444 4804 cmd.exe net.exe PID 4804 wrote to memory of 1444 4804 cmd.exe net.exe PID 4804 wrote to memory of 1444 4804 cmd.exe net.exe PID 1444 wrote to memory of 1856 1444 net.exe net1.exe PID 1444 wrote to memory of 1856 1444 net.exe net1.exe PID 1444 wrote to memory of 1856 1444 net.exe net1.exe PID 3528 wrote to memory of 2268 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2268 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 2268 3528 Taleb.Ransom.exe cmd.exe PID 2268 wrote to memory of 5112 2268 cmd.exe net.exe PID 2268 wrote to memory of 5112 2268 cmd.exe net.exe PID 2268 wrote to memory of 5112 2268 cmd.exe net.exe PID 5112 wrote to memory of 1004 5112 net.exe net1.exe PID 5112 wrote to memory of 1004 5112 net.exe net1.exe PID 5112 wrote to memory of 1004 5112 net.exe net1.exe PID 3528 wrote to memory of 4672 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4672 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 4672 3528 Taleb.Ransom.exe cmd.exe PID 4672 wrote to memory of 1740 4672 cmd.exe netsh.exe PID 4672 wrote to memory of 1740 4672 cmd.exe netsh.exe PID 4672 wrote to memory of 1740 4672 cmd.exe netsh.exe PID 3528 wrote to memory of 3892 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3892 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3892 3528 Taleb.Ransom.exe cmd.exe PID 3892 wrote to memory of 4556 3892 cmd.exe netsh.exe PID 3892 wrote to memory of 4556 3892 cmd.exe netsh.exe PID 3892 wrote to memory of 4556 3892 cmd.exe netsh.exe PID 3528 wrote to memory of 3736 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3736 3528 Taleb.Ransom.exe cmd.exe PID 3528 wrote to memory of 3736 3528 Taleb.Ransom.exe cmd.exe PID 3736 wrote to memory of 1856 3736 cmd.exe net.exe PID 3736 wrote to memory of 1856 3736 cmd.exe net.exe PID 3736 wrote to memory of 1856 3736 cmd.exe net.exe PID 1856 wrote to memory of 688 1856 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-161-0x0000000000000000-mapping.dmp
-
memory/416-159-0x0000000000000000-mapping.dmp
-
memory/620-135-0x0000000000000000-mapping.dmp
-
memory/688-155-0x0000000000000000-mapping.dmp
-
memory/912-142-0x0000000000000000-mapping.dmp
-
memory/1004-148-0x0000000000000000-mapping.dmp
-
memory/1248-136-0x0000000000000000-mapping.dmp
-
memory/1316-156-0x0000000000000000-mapping.dmp
-
memory/1444-144-0x0000000000000000-mapping.dmp
-
memory/1740-150-0x0000000000000000-mapping.dmp
-
memory/1856-145-0x0000000000000000-mapping.dmp
-
memory/1856-154-0x0000000000000000-mapping.dmp
-
memory/2208-163-0x0000000000000000-mapping.dmp
-
memory/2252-160-0x0000000000000000-mapping.dmp
-
memory/2264-138-0x0000000000000000-mapping.dmp
-
memory/2268-146-0x0000000000000000-mapping.dmp
-
memory/2340-140-0x0000000000000000-mapping.dmp
-
memory/3288-137-0x0000000000000000-mapping.dmp
-
memory/3736-153-0x0000000000000000-mapping.dmp
-
memory/3868-141-0x0000000000000000-mapping.dmp
-
memory/3892-151-0x0000000000000000-mapping.dmp
-
memory/4068-164-0x0000000000000000-mapping.dmp
-
memory/4224-134-0x0000000000000000-mapping.dmp
-
memory/4228-162-0x0000000000000000-mapping.dmp
-
memory/4556-152-0x0000000000000000-mapping.dmp
-
memory/4592-139-0x0000000000000000-mapping.dmp
-
memory/4672-149-0x0000000000000000-mapping.dmp
-
memory/4804-143-0x0000000000000000-mapping.dmp
-
memory/4944-157-0x0000000000000000-mapping.dmp
-
memory/5036-158-0x0000000000000000-mapping.dmp
-
memory/5112-147-0x0000000000000000-mapping.dmp