conti | e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
Size

382KB
MD5

26624208981e08658186ff15904ea89d
SHA1

ff6256d719147c5aeab4c7c0d304fae2c82bfcf2
SHA256

e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d
SHA512

c32ba04953064327f0902a3c521085e5a9fc2e91737ca4f43dec0cdd79dd7b3672fc4fc86145db73ebe148ae1090631d46a93bd952bd47e28452a55b17a4dd1f
SSDEEP

6144:kQ9zmZjVZ4SYnWMi1mpO8EAO40DjtHOY/zm7EGZ++N7PWL2Aw:z9oV6nTp+nVOY/zm7EGZRrQw

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/DQ9sVn8U7WzJxFVJd3dMDAtaNEW6O7GMDVzJN0W0W0f79MCQoEoeHks8G8NCl8SV YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/DQ9sVn8U7WzJxFVJd3dMDAtaNEW6O7GMDVzJN0W0W0f79MCQoEoeHks8G8NCl8SV

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7936) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITL.ICO	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	regsvr32.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\OliveGreen.css	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01084_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02264_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF	regsvr32.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	regsvr32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	regsvr32.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\readme.txt	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe
2668	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2160 wrote to memory of 2668	2160	regsvr32.exe	28
PID 2668 wrote to memory of 2648	2668	regsvr32.exe	31
PID 2668 wrote to memory of 2648	2668	regsvr32.exe	31
PID 2668 wrote to memory of 2648	2668	regsvr32.exe	31
PID 2668 wrote to memory of 2648	2668	regsvr32.exe	31
PID 2648 wrote to memory of 2384	2648	cmd.exe	33
PID 2648 wrote to memory of 2384	2648	cmd.exe	33
PID 2648 wrote to memory of 2384	2648	cmd.exe	33
PID 2648 wrote to memory of 2384	2648	cmd.exe	33
PID 2384 wrote to memory of 2396	2384	net.exe	34
PID 2384 wrote to memory of 2396	2384	net.exe	34
PID 2384 wrote to memory of 2396	2384	net.exe	34
PID 2384 wrote to memory of 2396	2384	net.exe	34
PID 2668 wrote to memory of 2416	2668	regsvr32.exe	35
PID 2668 wrote to memory of 2416	2668	regsvr32.exe	35
PID 2668 wrote to memory of 2416	2668	regsvr32.exe	35
PID 2668 wrote to memory of 2416	2668	regsvr32.exe	35
PID 2416 wrote to memory of 2268	2416	cmd.exe	37
PID 2416 wrote to memory of 2268	2416	cmd.exe	37
PID 2416 wrote to memory of 2268	2416	cmd.exe	37
PID 2416 wrote to memory of 2268	2416	cmd.exe	37
PID 2268 wrote to memory of 2816	2268	net.exe	38
PID 2268 wrote to memory of 2816	2268	net.exe	38
PID 2268 wrote to memory of 2816	2268	net.exe	38
PID 2268 wrote to memory of 2816	2268	net.exe	38
PID 2668 wrote to memory of 2820	2668	regsvr32.exe	39
PID 2668 wrote to memory of 2820	2668	regsvr32.exe	39
PID 2668 wrote to memory of 2820	2668	regsvr32.exe	39
PID 2668 wrote to memory of 2820	2668	regsvr32.exe	39
PID 2820 wrote to memory of 2828	2820	cmd.exe	41
PID 2820 wrote to memory of 2828	2820	cmd.exe	41
PID 2820 wrote to memory of 2828	2820	cmd.exe	41
PID 2820 wrote to memory of 2828	2820	cmd.exe	41
PID 2828 wrote to memory of 2832	2828	net.exe	42
PID 2828 wrote to memory of 2832	2828	net.exe	42
PID 2828 wrote to memory of 2832	2828	net.exe	42
PID 2828 wrote to memory of 2832	2828	net.exe	42
PID 2668 wrote to memory of 328	2668	regsvr32.exe	43
PID 2668 wrote to memory of 328	2668	regsvr32.exe	43
PID 2668 wrote to memory of 328	2668	regsvr32.exe	43
PID 2668 wrote to memory of 328	2668	regsvr32.exe	43
PID 328 wrote to memory of 1608	328	cmd.exe	45
PID 328 wrote to memory of 1608	328	cmd.exe	45
PID 328 wrote to memory of 1608	328	cmd.exe	45
PID 328 wrote to memory of 1608	328	cmd.exe	45
PID 1608 wrote to memory of 1556	1608	net.exe	46
PID 1608 wrote to memory of 1556	1608	net.exe	46
PID 1608 wrote to memory of 1556	1608	net.exe	46
PID 1608 wrote to memory of 1556	1608	net.exe	46
PID 2668 wrote to memory of 1764	2668	regsvr32.exe	47
PID 2668 wrote to memory of 1764	2668	regsvr32.exe	47
PID 2668 wrote to memory of 1764	2668	regsvr32.exe	47
PID 2668 wrote to memory of 1764	2668	regsvr32.exe	47
PID 1764 wrote to memory of 1232	1764	cmd.exe	49
PID 1764 wrote to memory of 1232	1764	cmd.exe	49
PID 1764 wrote to memory of 1232	1764	cmd.exe	49
PID 1764 wrote to memory of 1232	1764	cmd.exe	49
PID 1232 wrote to memory of 1728	1232	net.exe	50

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
  2⤵
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSOLAP$SQL_2008 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$BKUPEXEC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$ECWDB2 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$ECWDB2 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTICEMGT /y
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTICEMGT /y
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTTICEBGC /y
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SBSMONITORING /y
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SHAREPOINT /y
      4⤵
      PID:808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SQL_2008 /y
    3⤵
    PID:300
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL_2008 /y
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPS /y
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPS /y
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPSAMA /y
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPSAMA /y
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQLSERVER /y
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER /y
      4⤵
      PID:720
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLBrowser /y
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser /y
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLWriter /y
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter /y
      4⤵
      PID:528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\readme.txt

Filesize
1KB

MD5
1c428c8eb1b4b20b2ce030868d24684e

SHA1
6b1bef226fd9b95c21b56c9407550b8d396a87a5

SHA256
2162823e05ca590c69f767620a8630abb53d14c10c636918488d0bc6c65c4cf5

SHA512
13c7c7786ae4aa5ebb4d1061cefc03e36b6b055c68827dc2a07e58c25469e742b92eff4b331a714a8b22f7cb317468a4a0f85e0530b158889c62f80df8b52ca1

Download Submit
memory/2668-0-0x0000000000160000-0x000000000018D000-memory.dmp

Filesize
180KB

Download