conti | 08f2cce77ba2016baf5819ebe697207af6d78262db0d07dc8158b9f37924816d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
02-04-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTT.exe
Size

1.1MB
MD5

f14c088aa22eb7aaaf02dcbe3681ee83
SHA1

fe4e63f968354129529e167a9c66f060f3bc26f8
SHA256

08f2cce77ba2016baf5819ebe697207af6d78262db0d07dc8158b9f37924816d
SHA512

f3815176206f4525c4eab80ec1d33821cd35ed55fee686622cf0c33381deeeec6b76ffede4846b083be7cb4313d1ceafbe8cc3d5f5941fa2dd46df9dfe441572

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/QuoGxV1WEF4BLFn6Fflq21CUpjFlFfejO6ulWG1yqnlJ4CqThu7m3ntnYwcFY3R9 YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/QuoGxV1WEF4BLFn6Fflq21CUpjFlFfejO6ulWG1yqnlJ4CqThu7m3ntnYwcFY3R9

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnprotectLock.raw => C:\Users\Admin\Pictures\UnprotectLock.raw.V00Zb	TTT.exe
File renamed	C:\Users\Admin\Pictures\UnregisterConvertTo.tif => C:\Users\Admin\Pictures\UnregisterConvertTo.tif.V00Zb	TTT.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromClose.raw => C:\Users\Admin\Pictures\ConvertFromClose.raw.V00Zb	TTT.exe
File opened for modification	C:\Users\Admin\Pictures\StopRedo.tiff	TTT.exe
File renamed	C:\Users\Admin\Pictures\StopRedo.tiff => C:\Users\Admin\Pictures\StopRedo.tiff.V00Zb	TTT.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar	TTT.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\readme.txt	TTT.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	TTT.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	TTT.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR	TTT.exe
File created	C:\Program Files\Internet Explorer\it-IT\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt	TTT.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	TTT.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\NOTICE	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	TTT.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat	TTT.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\javaws.policy	TTT.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\readme.txt	TTT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb	TTT.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat	TTT.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	TTT.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML	TTT.exe
File opened for modification	C:\Program Files\MergeMove.svg	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	TTT.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	TTT.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\readme.txt	TTT.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF	TTT.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data	TTT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	TTT.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml	TTT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms	TTT.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe
1272	TTT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1692	vssvc.exe
Token: SeRestorePrivilege	1692	vssvc.exe
Token: SeAuditPrivilege	1692	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	1936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1936	WMIC.exe
Token: SeRemoteShutdownPrivilege	1936	WMIC.exe
Token: SeUndockPrivilege	1936	WMIC.exe
Token: SeManageVolumePrivilege	1936	WMIC.exe
Token: 33	1936	WMIC.exe
Token: 34	1936	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1272	TTT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3696	1272	TTT.exe	94
PID 1272 wrote to memory of 3696	1272	TTT.exe	94
PID 1272 wrote to memory of 1936	1272	TTT.exe	96
PID 1272 wrote to memory of 1936	1272	TTT.exe	96
PID 1272 wrote to memory of 5060	1272	TTT.exe	98
PID 1272 wrote to memory of 5060	1272	TTT.exe	98
PID 1272 wrote to memory of 5060	1272	TTT.exe	98
PID 5060 wrote to memory of 3792	5060	cmd.exe	100
PID 5060 wrote to memory of 3792	5060	cmd.exe	100
PID 5060 wrote to memory of 3792	5060	cmd.exe	100
PID 3792 wrote to memory of 4408	3792	net.exe	101
PID 3792 wrote to memory of 4408	3792	net.exe	101
PID 3792 wrote to memory of 4408	3792	net.exe	101
PID 1272 wrote to memory of 4596	1272	TTT.exe	102
PID 1272 wrote to memory of 4596	1272	TTT.exe	102
PID 1272 wrote to memory of 4596	1272	TTT.exe	102
PID 4596 wrote to memory of 4828	4596	cmd.exe	104
PID 4596 wrote to memory of 4828	4596	cmd.exe	104
PID 4596 wrote to memory of 4828	4596	cmd.exe	104
PID 4828 wrote to memory of 4816	4828	net.exe	105
PID 4828 wrote to memory of 4816	4828	net.exe	105
PID 4828 wrote to memory of 4816	4828	net.exe	105
PID 1272 wrote to memory of 3548	1272	TTT.exe	106
PID 1272 wrote to memory of 3548	1272	TTT.exe	106
PID 1272 wrote to memory of 3548	1272	TTT.exe	106
PID 3548 wrote to memory of 2844	3548	cmd.exe	108
PID 3548 wrote to memory of 2844	3548	cmd.exe	108
PID 3548 wrote to memory of 2844	3548	cmd.exe	108
PID 2844 wrote to memory of 3224	2844	net.exe	109
PID 2844 wrote to memory of 3224	2844	net.exe	109
PID 2844 wrote to memory of 3224	2844	net.exe	109
PID 1272 wrote to memory of 2128	1272	TTT.exe	110
PID 1272 wrote to memory of 2128	1272	TTT.exe	110
PID 1272 wrote to memory of 2128	1272	TTT.exe	110
PID 2128 wrote to memory of 532	2128	cmd.exe	112
PID 2128 wrote to memory of 532	2128	cmd.exe	112
PID 2128 wrote to memory of 532	2128	cmd.exe	112
PID 532 wrote to memory of 1032	532	net.exe	113
PID 532 wrote to memory of 1032	532	net.exe	113
PID 532 wrote to memory of 1032	532	net.exe	113
PID 1272 wrote to memory of 3892	1272	TTT.exe	114
PID 1272 wrote to memory of 3892	1272	TTT.exe	114
PID 1272 wrote to memory of 3892	1272	TTT.exe	114
PID 3892 wrote to memory of 448	3892	cmd.exe	116
PID 3892 wrote to memory of 448	3892	cmd.exe	116
PID 3892 wrote to memory of 448	3892	cmd.exe	116
PID 448 wrote to memory of 3616	448	net.exe	117
PID 448 wrote to memory of 3616	448	net.exe	117
PID 448 wrote to memory of 3616	448	net.exe	117
PID 1272 wrote to memory of 1884	1272	TTT.exe	118
PID 1272 wrote to memory of 1884	1272	TTT.exe	118
PID 1272 wrote to memory of 1884	1272	TTT.exe	118
PID 1884 wrote to memory of 4044	1884	cmd.exe	120
PID 1884 wrote to memory of 4044	1884	cmd.exe	120
PID 1884 wrote to memory of 4044	1884	cmd.exe	120
PID 4044 wrote to memory of 4084	4044	net.exe	121
PID 4044 wrote to memory of 4084	4044	net.exe	121
PID 4044 wrote to memory of 4084	4044	net.exe	121
PID 1272 wrote to memory of 1576	1272	TTT.exe	122
PID 1272 wrote to memory of 1576	1272	TTT.exe	122
PID 1272 wrote to memory of 1576	1272	TTT.exe	122
PID 1576 wrote to memory of 2364	1576	cmd.exe	124
PID 1576 wrote to memory of 2364	1576	cmd.exe	124
PID 1576 wrote to memory of 2364	1576	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\TTT.exe
"C:\Users\Admin\AppData\Local\Temp\TTT.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\System32\wbem\WMIC.exe
  shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\System32\wbem\WMIC.exe
  shadowcopy where "ID='{E9B5643F-8908-41A9-879A-BF3F65E24DF9}'" delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Backup Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
      4⤵
      PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "SQLsafe Filter Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\net.exe
    net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
      4⤵
      PID:4816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSOLAP$SQL_2008 /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\SysWOW64\net.exe
    net stop MSOLAP$SQL_2008 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
      4⤵
      PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$BKUPEXEC /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$BKUPEXEC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
      4⤵
      PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$ECWDB2 /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$ECWDB2 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
      4⤵
      PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTICEMGT /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTICEMGT /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:4484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SBSMONITORING /y
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
      4⤵
      PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SHAREPOINT /y
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SQL_2008 /y
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQL_2008 /y
    3⤵
    PID:4280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
      4⤵
      PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPS /y
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPS /y
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPS /y
      4⤵
      PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$TPSAMA /y
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$TPSAMA /y
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
      4⤵
      PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
  2⤵
  PID:868
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop MSSQLSERVER /y
  2⤵
  PID:628
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER /y
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER /y
      4⤵
      PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLBrowser /y
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser /y
    3⤵
    PID:916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser /y
      4⤵
      PID:3396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SQLWriter /y
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter /y
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-130-0x0000000001320000-0x000000000134E000-memory.dmp

Filesize
184KB

Download