Analysis
-
max time kernel
150s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-02-2021 04:04
General
-
Target
444.exe
-
Size
2.2MB
-
MD5
eb154d544f8cb7aeac7700100bfe7c1a
-
SHA1
5bc2d79943de6b47768db926704e21e88cb95aa2
-
SHA256
e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8
-
SHA512
22964c627143afba28b6b4f05bb93867edabe9842090c85cbc193ef957e26a2cf60660e6f98fbeb8218f5876cfcdb382094c537539e7709014ddc9bef8a2d165
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_YOUR_FILES.txt
Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours:
10 BTC
ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet.
YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker
Bitcoin address for payment:
35LikWJCjvfHWDZezZXswgqNeuT6gv36YM
All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment.
TELEGRAM:
AlumniLocker
E-MAIL:
alumnilocker@protonmail.com
WALL OF SHAME URL:
http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion
IMPORTANT NOTE:
DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot.
WHERE YOU CAN GET BITCOIN?
www.localbitcoins.com
www.paxful.com
www.binance.com
www.coinbase.com
Key Identifier:
SBylrZZY2rCNTq17EDhLqAGo6TEqvXsIRxu0X0yK0FOPh+FMIXZ5sV9xs1vBQe3G5lHGK04EC546y3uVZiprd884T/hm3uJAwGK5htbTVPn3GWtgt46YRNcOfHhqS0hfPiZ02zQ7z4/4lCRVDGzVrTBGKWXi9LZUFzThfJprgJS9tPu5mXCY0oB5ZF2BMte06/l2Grs1OwE9dXAnfzfs8C4XT5wf0ua8F2Qlf8YT8NfVU6I55PkEeJsrOGjC8J92it5YOIuQm9eFpWH7+oKT57N22gWmGqsCg8O5TMXSlLOA0nu23C6d6fcZRN47luPI9BkURrcqRYzWSO4FwdwGfPD2c9WAAAwbjPpdavPqQhN3tNOSXXLcdbEJabtQBVAF0QpdddlGmEfTv2hjG5PFC4T62Mcn5WKyCRLAgXq9C8C/sDDR3jecuP1aS2A6zMZOd+/69iVbR+V2pz6mo9lYuV+vCPZK3oLE51F0+ygSrCC8/Ctmak4Jeh7eZUDyUkaKYMCnoQvc8XgCZttTCIFj02hj08N5Bd1eIkBQVTU/pHq0cVRqVeZLgcBkwBzXCdsFg5m2k07NgUyZrDktkt9k0Zw+DliL/nGlfkdY/WS1XV9rk7RwnXYAedbaI7FadnGBLj6MtjwyRx1MAt69eS5LuM5q/ywkm6zD1jxUTzQULM4=
Emails
alumnilocker@protonmail.com
Wallets
35LikWJCjvfHWDZezZXswgqNeuT6gv36YM
URLs
http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion
Extracted
Path
C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt
Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours:
10 BTC
ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet.
YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker
Bitcoin address for payment:
35LikWJCjvfHWDZezZXswgqNeuT6gv36YM
All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment.
TELEGRAM:
AlumniLocker
E-MAIL:
alumnilocker@protonmail.com
WALL OF SHAME URL:
http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion
IMPORTANT NOTE:
DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot.
WHERE YOU CAN GET BITCOIN?
www.localbitcoins.com
www.paxful.com
www.binance.com
www.coinbase.com
Key Identifier:
SBylrZZY2rCNTq17EDhLqAGo6TEqvXsIRxu0X0yK0FOPh+FMIXZ5sV9xs1vBQe3G5lHGK04EC546y3uVZiprd884T/hm3uJAwGK5htbTVPn3GWtgt46YRNcOfHhqS0hfPiZ02zQ7z4/4lCRVDGzVrTBGKWXi9LZUFzThfJprgJS9tPu5mXCY0oB5ZF2BMte06/l2Grs1OwE9dXAnfzfs8C4XT5wf0ua8F2Qlf8YT8NfVU6I55PkEeJsrOGjC8J92it5YOIuQm9eFpWH7+oKT57N22gWmGqsCg8O5TMXSlLOA0nu23C6d6fcZRN47luPI9BkURrcqRYzWSO4FwdwGfPD2c9WAAAwbjPpdavPqQhN3tNOSXXLcdbEJabtQBVAF0QpdddlGmEfTv2hjG5PFC4T62Mcn5WKyCRLAgXq9C8C/sDDR3jecuP1aS2A6zMZOd+/69iVbR+V2pz6mo9lYuV+vCPZK3oLE51F0+ygSrCC8/Ctmak4Jeh7eZUDyUkaKYMCnoQvc8XgCZttTCIFj02hj08N5Bd1eIkBQVTU/pHq0cVRqVeZLgcBkwBzXCdsFg5m2k07NgUyZrDktkt9k0Zw+DliL/nGlfkdY/WS1XV9rk7RwnXYAedbaI7FadnGBLj6MtjwyRx1MAt69eS5LuM5q/ywkm6zD1jxUTzQULM4=
Number of files that were processed is: 478
Emails
alumnilocker@protonmail.com
Wallets
35LikWJCjvfHWDZezZXswgqNeuT6gv36YM
URLs
http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
themida 1 IoCs
Detects Themida, Advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 5 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\444.exe"C:\Users\Admin\AppData\Local\Temp\444.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MMS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MMS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPSecurityService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPSecurityService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQLEXPRESS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ekrn /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ekrn /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EPUpdateService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EPUpdateService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPS /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mozyprobackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mozyprobackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EsgShKernel /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EsgShKernel /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ntrtscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ntrtscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ESHASRV /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ESHASRV /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPSAMA /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SDRSVC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SDRSVC /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop “Enterprise Client Service” /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop “Enterprise Client Service” /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLWriter /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SBSMONITORING /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop KAVFSGT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KAVFSGT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$VEEAMSQL2012 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBackupSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBackupSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SHAREPOINT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop kavfsslp /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kavfsslp /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamBrokerSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamBrokerSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SQL_2008 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop klnagent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop klnagent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop macmnsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop macmnsvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop FA_Scheduler /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop FA_Scheduler /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCatalogSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamCloudSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCloudSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLServerADHelper /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MBAMService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MBAMService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLSERVER /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploySvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploySvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQLFDLauncher$TPSAMA /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop masvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeEngineService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeEngineService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1574638822-678973302-1889668400-393187553101694083912106236-526502654-1968956048"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$TPS /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-152313087-524461953-221038322-17994435161796700947-159225098017632518341528239206"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1291157416-766490135-1800998191-648022206-1518774215207721888816075907131079634238"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-605670825624460524-1243991113943958821452139248-969458767-700391843-815590665"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamCatalogSvc /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12401015221243370931890079352-1250857293-202201897211866762422641298-718604786"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1841742189-61982814510419964751705963519-1583788011159508207112684338631661603503"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-152587938-1953514819-562562777-19549963151027945358770653109104359411075909980"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1471774638-498299302-401193296288057077-1612651874789932025-578945798546475560"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "206167112956851309820443375691795358090202863090-179987914816402434222045148109"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "510307781633467569-697022658614856936-6932089587484998620104355491403295468"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "154822566-994290487134613480117674550301223325095-925956904-1254305915-2023947551"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop masvc /y1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txtMD5
f129dd9a68161dd7fb0036ddde9c6468
SHA1a38d6d0bd09837268df95e48c65c0093cac329ca
SHA25645f4e54e0d6871351ebdd4ae5669d8b7c4d755ed83839ef603363c8db7dc1b42
SHA512a0f822726d34b1c66df1c12dc13e74d8beed060093f1924d0c8e19e5f58e879a0c4b1b0e9c9d7dbf42cdad3b0f9db930f3bcb60e1de76d52c08bef055bb85088
-
memory/268-7-0x0000000000000000-mapping.dmp
-
memory/332-26-0x0000000000000000-mapping.dmp
-
memory/472-13-0x0000000000000000-mapping.dmp
-
memory/568-19-0x0000000000000000-mapping.dmp
-
memory/568-48-0x0000000000000000-mapping.dmp
-
memory/576-46-0x0000000000000000-mapping.dmp
-
memory/616-39-0x0000000000000000-mapping.dmp
-
memory/676-28-0x0000000000000000-mapping.dmp
-
memory/724-25-0x0000000000000000-mapping.dmp
-
memory/848-11-0x0000000000000000-mapping.dmp
-
memory/952-34-0x0000000000000000-mapping.dmp
-
memory/1032-31-0x0000000000000000-mapping.dmp
-
memory/1064-12-0x0000000000000000-mapping.dmp
-
memory/1100-45-0x0000000000000000-mapping.dmp
-
memory/1104-16-0x0000000000000000-mapping.dmp
-
memory/1108-18-0x0000000000000000-mapping.dmp
-
memory/1120-50-0x0000000000000000-mapping.dmp
-
memory/1180-10-0x0000000000000000-mapping.dmp
-
memory/1220-14-0x0000000000000000-mapping.dmp
-
memory/1264-43-0x0000000000000000-mapping.dmp
-
memory/1264-15-0x0000000000000000-mapping.dmp
-
memory/1276-38-0x0000000000000000-mapping.dmp
-
memory/1328-49-0x0000000000000000-mapping.dmp
-
memory/1328-37-0x0000000000000000-mapping.dmp
-
memory/1328-109-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1472-53-0x0000000000000000-mapping.dmp
-
memory/1472-33-0x0000000000000000-mapping.dmp
-
memory/1480-36-0x0000000000000000-mapping.dmp
-
memory/1484-30-0x0000000000000000-mapping.dmp
-
memory/1488-47-0x0000000000000000-mapping.dmp
-
memory/1492-8-0x0000000000000000-mapping.dmp
-
memory/1504-29-0x0000000000000000-mapping.dmp
-
memory/1520-23-0x0000000000000000-mapping.dmp
-
memory/1528-35-0x0000000000000000-mapping.dmp
-
memory/1612-32-0x0000000000000000-mapping.dmp
-
memory/1720-41-0x0000000000000000-mapping.dmp
-
memory/1720-24-0x0000000000000000-mapping.dmp
-
memory/1776-27-0x0000000000000000-mapping.dmp
-
memory/1816-9-0x0000000000000000-mapping.dmp
-
memory/1904-2-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1904-40-0x0000000000BC0000-0x0000000000BD1000-memory.dmpFilesize
68KB
-
memory/1904-22-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/1904-5-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/1904-4-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1980-17-0x0000000000000000-mapping.dmp
-
memory/2064-52-0x0000000000000000-mapping.dmp
-
memory/2084-55-0x0000000000000000-mapping.dmp
-
memory/2108-58-0x0000000000000000-mapping.dmp
-
memory/2128-57-0x0000000000000000-mapping.dmp
-
memory/2152-60-0x0000000000000000-mapping.dmp
-
memory/2176-64-0x0000000000000000-mapping.dmp
-
memory/2184-61-0x0000000000000000-mapping.dmp
-
memory/2224-62-0x0000000000000000-mapping.dmp
-
memory/2248-66-0x0000000000000000-mapping.dmp
-
memory/2276-67-0x0000000000000000-mapping.dmp
-
memory/2300-70-0x0000000000000000-mapping.dmp
-
memory/2316-69-0x0000000000000000-mapping.dmp
-
memory/2332-71-0x0000000000000000-mapping.dmp
-
memory/2340-74-0x0000000000000000-mapping.dmp
-
memory/2356-72-0x0000000000000000-mapping.dmp
-
memory/2396-76-0x0000000000000000-mapping.dmp
-
memory/2424-78-0x0000000000000000-mapping.dmp
-
memory/2452-79-0x0000000000000000-mapping.dmp
-
memory/2460-81-0x0000000000000000-mapping.dmp
-
memory/2492-82-0x0000000000000000-mapping.dmp
-
memory/2504-83-0x0000000000000000-mapping.dmp
-
memory/2520-85-0x0000000000000000-mapping.dmp
-
memory/2544-88-0x0000000000000000-mapping.dmp
-
memory/2568-87-0x0000000000000000-mapping.dmp
-
memory/2592-89-0x0000000000000000-mapping.dmp