conti | e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
Size

382KB
MD5

26624208981e08658186ff15904ea89d
SHA1

ff6256d719147c5aeab4c7c0d304fae2c82bfcf2
SHA256

e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d
SHA512

c32ba04953064327f0902a3c521085e5a9fc2e91737ca4f43dec0cdd79dd7b3672fc4fc86145db73ebe148ae1090631d46a93bd952bd47e28452a55b17a4dd1f
SSDEEP

6144:kQ9zmZjVZ4SYnWMi1mpO8EAO40DjtHOY/zm7EGZ++N7PWL2Aw:z9oV6nTp+nVOY/zm7EGZRrQw

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/DQ9sVn8U7WzJxFVJd3dMDAtaNEW6O7GMDVzJN0W0W0f79MCQoEoeHks8G8NCl8SV YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/DQ9sVn8U7WzJxFVJd3dMDAtaNEW6O7GMDVzJN0W0W0f79MCQoEoeHks8G8NCl8SV

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	regsvr32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png"	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook2x.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js	regsvr32.exe
File created	C:\Program Files\Common Files\System\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\ui-strings.js	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\SelectReceive.css	regsvr32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	regsvr32.exe
File created	C:\Program Files\Microsoft Office 15\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	regsvr32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js	regsvr32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ui-strings.js	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	regsvr32.exe
File created	C:\Program Files\Common Files\System\ado\en-US\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe
3284	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3284	2304	regsvr32.exe	85
PID 2304 wrote to memory of 3284	2304	regsvr32.exe	85
PID 2304 wrote to memory of 3284	2304	regsvr32.exe	85
PID 3284 wrote to memory of 3564	3284	regsvr32.exe	97
PID 3284 wrote to memory of 3564	3284	regsvr32.exe	97
PID 3284 wrote to memory of 3564	3284	regsvr32.exe	97
PID 3564 wrote to memory of 3744	3564	cmd.exe	99
PID 3564 wrote to memory of 3744	3564	cmd.exe	99
PID 3564 wrote to memory of 3744	3564	cmd.exe	99
PID 3744 wrote to memory of 1228	3744	net.exe	100
PID 3744 wrote to memory of 1228	3744	net.exe	100
PID 3744 wrote to memory of 1228	3744	net.exe	100
PID 3284 wrote to memory of 4320	3284	regsvr32.exe	101
PID 3284 wrote to memory of 4320	3284	regsvr32.exe	101
PID 3284 wrote to memory of 4320	3284	regsvr32.exe	101
PID 4320 wrote to memory of 1432	4320	cmd.exe	103
PID 4320 wrote to memory of 1432	4320	cmd.exe	103
PID 4320 wrote to memory of 1432	4320	cmd.exe	103
PID 1432 wrote to memory of 2524	1432	net.exe	104
PID 1432 wrote to memory of 2524	1432	net.exe	104
PID 1432 wrote to memory of 2524	1432	net.exe	104
PID 3284 wrote to memory of 3752	3284	regsvr32.exe	105
PID 3284 wrote to memory of 3752	3284	regsvr32.exe	105
PID 3284 wrote to memory of 3752	3284	regsvr32.exe	105
PID 3752 wrote to memory of 764	3752	cmd.exe	107
PID 3752 wrote to memory of 764	3752	cmd.exe	107
PID 3752 wrote to memory of 764	3752	cmd.exe	107
PID 764 wrote to memory of 1984	764	net.exe	108
PID 764 wrote to memory of 1984	764	net.exe	108
PID 764 wrote to memory of 1984	764	net.exe	108
PID 3284 wrote to memory of 912	3284	regsvr32.exe	109
PID 3284 wrote to memory of 912	3284	regsvr32.exe	109
PID 3284 wrote to memory of 912	3284	regsvr32.exe	109
PID 912 wrote to memory of 4840	912	cmd.exe	111
PID 912 wrote to memory of 4840	912	cmd.exe	111
PID 912 wrote to memory of 4840	912	cmd.exe	111
PID 4840 wrote to memory of 4568	4840	net.exe	112
PID 4840 wrote to memory of 4568	4840	net.exe	112
PID 4840 wrote to memory of 4568	4840	net.exe	112
PID 3284 wrote to memory of 3508	3284	regsvr32.exe	113
PID 3284 wrote to memory of 3508	3284	regsvr32.exe	113
PID 3284 wrote to memory of 3508	3284	regsvr32.exe	113
PID 3508 wrote to memory of 2436	3508	cmd.exe	115
PID 3508 wrote to memory of 2436	3508	cmd.exe	115
PID 3508 wrote to memory of 2436	3508	cmd.exe	115
PID 2436 wrote to memory of 4172	2436	net.exe	116
PID 2436 wrote to memory of 4172	2436	net.exe	116
PID 2436 wrote to memory of 4172	2436	net.exe	116
PID 3284 wrote to memory of 1484	3284	regsvr32.exe	117
PID 3284 wrote to memory of 1484	3284	regsvr32.exe	117
PID 3284 wrote to memory of 1484	3284	regsvr32.exe	117
PID 1484 wrote to memory of 1908	1484	cmd.exe	119
PID 1484 wrote to memory of 1908	1484	cmd.exe	119
PID 1484 wrote to memory of 1908	1484	cmd.exe	119
PID 1908 wrote to memory of 1084	1908	net.exe	120
PID 1908 wrote to memory of 1084	1908	net.exe	120
PID 1908 wrote to memory of 1084	1908	net.exe	120
PID 3284 wrote to memory of 4836	3284	regsvr32.exe	121
PID 3284 wrote to memory of 4836	3284	regsvr32.exe	121
PID 3284 wrote to memory of 4836	3284	regsvr32.exe	121
PID 4836 wrote to memory of 216	4836	cmd.exe	123
PID 4836 wrote to memory of 216	4836	cmd.exe	123
PID 4836 wrote to memory of 216	4836	cmd.exe	123
PID 216 wrote to memory of 4972	216	net.exe	124

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e6e248be24782f28a492055ebb35886ad057d8a5ff4d7315f22af1fe29d9df0d.dll
  2⤵
  - Drops startup file
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSOLAP$SQL_2008 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$BKUPEXEC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$ECWDB2 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$ECWDB2 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTICEMGT /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTICEMGT /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTTICEBGC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:3164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SHAREPOINT /y
      4⤵
      PID:4676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SQL_2008 /y
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL_2008 /y
      4⤵
      PID:4536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPS /y
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPS /y
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPSAMA /y
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPSAMA /y
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4292
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQLSERVER /y
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER /y
      4⤵
      PID:4808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLBrowser /y
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser /y
      4⤵
      PID:4408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLWriter /y
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter /y
      4⤵
      PID:64
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\readme.txt

Filesize
1KB

MD5
1c428c8eb1b4b20b2ce030868d24684e

SHA1
6b1bef226fd9b95c21b56c9407550b8d396a87a5

SHA256
2162823e05ca590c69f767620a8630abb53d14c10c636918488d0bc6c65c4cf5

SHA512
13c7c7786ae4aa5ebb4d1061cefc03e36b6b055c68827dc2a07e58c25469e742b92eff4b331a714a8b22f7cb317468a4a0f85e0530b158889c62f80df8b52ca1

Download Submit
memory/3284-0-0x0000000001400000-0x000000000142D000-memory.dmp

Filesize
180KB

Download
memory/3284-18845-0x0000000001400000-0x000000000142D000-memory.dmp

Filesize
180KB

Download