Analysis
-
max time kernel
151s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
64new_cip3.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip3.exe
-
Size
309KB
-
MD5
f6bc1b461df6cdd28183fdde78c630d2
-
SHA1
a22826c3d4ad28ef0b6e1971ffb59e65b1412d54
-
SHA256
56e8399a61644e1ec4324caa8a99313d383c667f5296a9ed4f975a41590fe00b
-
SHA512
ce93efbc96c9409aea1f1d9fa2c773ded2e1b1a018a0a8d7993e3560c5a3d9e3696f5edce497a8a3864cc9b7d65f7e122e89e83073686d1ef50a37df902cfca0
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0N3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++39aw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip3.exedescription pid process target process PID 1476 created 1208 1476 64new_cip3.exe Explorer.EXE -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip3.exedescription ioc process File renamed C:\Users\Admin\Pictures\EditComplete.tif => C:\Users\Admin\Pictures\EditComplete.tif.cipher3 64new_cip3.exe File renamed C:\Users\Admin\Pictures\PublishOpen.png => C:\Users\Admin\Pictures\PublishOpen.png.cipher3 64new_cip3.exe File renamed C:\Users\Admin\Pictures\UndoRestore.tif => C:\Users\Admin\Pictures\UndoRestore.tif.cipher3 64new_cip3.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip3.exedescription ioc process File opened (read-only) \??\Y: 64new_cip3.exe File opened (read-only) \??\E: 64new_cip3.exe File opened (read-only) \??\F: 64new_cip3.exe File opened (read-only) \??\K: 64new_cip3.exe File opened (read-only) \??\J: 64new_cip3.exe File opened (read-only) \??\L: 64new_cip3.exe File opened (read-only) \??\M: 64new_cip3.exe File opened (read-only) \??\P: 64new_cip3.exe File opened (read-only) \??\Q: 64new_cip3.exe File opened (read-only) \??\A: 64new_cip3.exe File opened (read-only) \??\G: 64new_cip3.exe File opened (read-only) \??\H: 64new_cip3.exe File opened (read-only) \??\S: 64new_cip3.exe File opened (read-only) \??\X: 64new_cip3.exe File opened (read-only) \??\R: 64new_cip3.exe File opened (read-only) \??\U: 64new_cip3.exe File opened (read-only) \??\W: 64new_cip3.exe File opened (read-only) \??\Z: 64new_cip3.exe File opened (read-only) \??\B: 64new_cip3.exe File opened (read-only) \??\I: 64new_cip3.exe File opened (read-only) \??\O: 64new_cip3.exe File opened (read-only) \??\N: 64new_cip3.exe File opened (read-only) \??\T: 64new_cip3.exe File opened (read-only) \??\V: 64new_cip3.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 552 taskkill.exe 1496 taskkill.exe 1564 taskkill.exe 1292 taskkill.exe 968 taskkill.exe 1332 taskkill.exe 1252 taskkill.exe 728 taskkill.exe 1884 taskkill.exe 1096 taskkill.exe 1584 taskkill.exe 1312 taskkill.exe 1124 taskkill.exe 1016 taskkill.exe 1088 taskkill.exe 808 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip3.exepid process 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe 1476 64new_cip3.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1096 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 808 taskkill.exe Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 1332 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 728 taskkill.exe Token: SeDebugPrivilege 1312 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1476 wrote to memory of 560 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 560 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 560 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 560 1476 64new_cip3.exe cmd.exe PID 560 wrote to memory of 1712 560 cmd.exe cmd.exe PID 560 wrote to memory of 1712 560 cmd.exe cmd.exe PID 560 wrote to memory of 1712 560 cmd.exe cmd.exe PID 560 wrote to memory of 1712 560 cmd.exe cmd.exe PID 1476 wrote to memory of 876 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 876 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 876 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 876 1476 64new_cip3.exe cmd.exe PID 876 wrote to memory of 1716 876 cmd.exe cmd.exe PID 876 wrote to memory of 1716 876 cmd.exe cmd.exe PID 876 wrote to memory of 1716 876 cmd.exe cmd.exe PID 876 wrote to memory of 1716 876 cmd.exe cmd.exe PID 1716 wrote to memory of 1088 1716 cmd.exe taskkill.exe PID 1716 wrote to memory of 1088 1716 cmd.exe taskkill.exe PID 1716 wrote to memory of 1088 1716 cmd.exe taskkill.exe PID 1476 wrote to memory of 1524 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1524 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1524 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1524 1476 64new_cip3.exe cmd.exe PID 1524 wrote to memory of 732 1524 cmd.exe cmd.exe PID 1524 wrote to memory of 732 1524 cmd.exe cmd.exe PID 1524 wrote to memory of 732 1524 cmd.exe cmd.exe PID 1524 wrote to memory of 732 1524 cmd.exe cmd.exe PID 732 wrote to memory of 1096 732 cmd.exe taskkill.exe PID 732 wrote to memory of 1096 732 cmd.exe taskkill.exe PID 732 wrote to memory of 1096 732 cmd.exe taskkill.exe PID 1476 wrote to memory of 880 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 880 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 880 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 880 1476 64new_cip3.exe cmd.exe PID 880 wrote to memory of 292 880 cmd.exe cmd.exe PID 880 wrote to memory of 292 880 cmd.exe cmd.exe PID 880 wrote to memory of 292 880 cmd.exe cmd.exe PID 880 wrote to memory of 292 880 cmd.exe cmd.exe PID 292 wrote to memory of 552 292 cmd.exe taskkill.exe PID 292 wrote to memory of 552 292 cmd.exe taskkill.exe PID 292 wrote to memory of 552 292 cmd.exe taskkill.exe PID 1476 wrote to memory of 956 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 956 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 956 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 956 1476 64new_cip3.exe cmd.exe PID 956 wrote to memory of 1268 956 cmd.exe cmd.exe PID 956 wrote to memory of 1268 956 cmd.exe cmd.exe PID 956 wrote to memory of 1268 956 cmd.exe cmd.exe PID 956 wrote to memory of 1268 956 cmd.exe cmd.exe PID 1268 wrote to memory of 808 1268 cmd.exe taskkill.exe PID 1268 wrote to memory of 808 1268 cmd.exe taskkill.exe PID 1268 wrote to memory of 808 1268 cmd.exe taskkill.exe PID 1476 wrote to memory of 1048 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1048 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1048 1476 64new_cip3.exe cmd.exe PID 1476 wrote to memory of 1048 1476 64new_cip3.exe cmd.exe PID 1048 wrote to memory of 1732 1048 cmd.exe cmd.exe PID 1048 wrote to memory of 1732 1048 cmd.exe cmd.exe PID 1048 wrote to memory of 1732 1048 cmd.exe cmd.exe PID 1048 wrote to memory of 1732 1048 cmd.exe cmd.exe PID 1732 wrote to memory of 968 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 968 1732 cmd.exe taskkill.exe PID 1732 wrote to memory of 968 1732 cmd.exe taskkill.exe PID 1476 wrote to memory of 1788 1476 64new_cip3.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip3.exe64new_cip3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip3.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-64-0x0000000000000000-mapping.dmp
-
memory/544-111-0x0000000000000000-mapping.dmp
-
memory/552-65-0x0000000000000000-mapping.dmp
-
memory/560-55-0x0000000000000000-mapping.dmp
-
memory/560-102-0x0000000000000000-mapping.dmp
-
memory/596-104-0x0000000000000000-mapping.dmp
-
memory/608-73-0x0000000000000000-mapping.dmp
-
memory/652-99-0x0000000000000000-mapping.dmp
-
memory/680-107-0x0000000000000000-mapping.dmp
-
memory/728-109-0x0000000000000000-mapping.dmp
-
memory/728-86-0x0000000000000000-mapping.dmp
-
memory/732-61-0x0000000000000000-mapping.dmp
-
memory/748-81-0x0000000000000000-mapping.dmp
-
memory/808-68-0x0000000000000000-mapping.dmp
-
memory/840-115-0x0000000000000000-mapping.dmp
-
memory/876-57-0x0000000000000000-mapping.dmp
-
memory/876-105-0x0000000000000000-mapping.dmp
-
memory/880-63-0x0000000000000000-mapping.dmp
-
memory/896-76-0x0000000000000000-mapping.dmp
-
memory/904-88-0x0000000000000000-mapping.dmp
-
memory/936-112-0x0000000000000000-mapping.dmp
-
memory/956-66-0x0000000000000000-mapping.dmp
-
memory/968-71-0x0000000000000000-mapping.dmp
-
memory/1008-91-0x0000000000000000-mapping.dmp
-
memory/1016-103-0x0000000000000000-mapping.dmp
-
memory/1048-69-0x0000000000000000-mapping.dmp
-
memory/1088-59-0x0000000000000000-mapping.dmp
-
memory/1096-110-0x0000000000000000-mapping.dmp
-
memory/1096-62-0x0000000000000000-mapping.dmp
-
memory/1100-108-0x0000000000000000-mapping.dmp
-
memory/1124-92-0x0000000000000000-mapping.dmp
-
memory/1124-118-0x0000000000000000-mapping.dmp
-
memory/1252-83-0x0000000000000000-mapping.dmp
-
memory/1268-67-0x0000000000000000-mapping.dmp
-
memory/1288-100-0x0000000000000000-mapping.dmp
-
memory/1312-89-0x0000000000000000-mapping.dmp
-
memory/1332-74-0x0000000000000000-mapping.dmp
-
memory/1336-117-0x0000000000000000-mapping.dmp
-
memory/1372-84-0x0000000000000000-mapping.dmp
-
memory/1460-116-0x0000000000000000-mapping.dmp
-
memory/1476-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1492-79-0x0000000000000000-mapping.dmp
-
memory/1496-80-0x0000000000000000-mapping.dmp
-
memory/1524-60-0x0000000000000000-mapping.dmp
-
memory/1564-98-0x0000000000000000-mapping.dmp
-
memory/1584-77-0x0000000000000000-mapping.dmp
-
memory/1612-96-0x0000000000000000-mapping.dmp
-
memory/1660-75-0x0000000000000000-mapping.dmp
-
memory/1696-113-0x0000000000000000-mapping.dmp
-
memory/1708-114-0x0000000000000000-mapping.dmp
-
memory/1708-87-0x0000000000000000-mapping.dmp
-
memory/1712-56-0x0000000000000000-mapping.dmp
-
memory/1716-58-0x0000000000000000-mapping.dmp
-
memory/1724-82-0x0000000000000000-mapping.dmp
-
memory/1732-70-0x0000000000000000-mapping.dmp
-
memory/1736-78-0x0000000000000000-mapping.dmp
-
memory/1740-101-0x0000000000000000-mapping.dmp
-
memory/1756-93-0x0000000000000000-mapping.dmp
-
memory/1768-94-0x0000000000000000-mapping.dmp
-
memory/1788-72-0x0000000000000000-mapping.dmp
-
memory/1864-97-0x0000000000000000-mapping.dmp
-
memory/1872-106-0x0000000000000000-mapping.dmp
-
memory/1884-95-0x0000000000000000-mapping.dmp
-
memory/1896-85-0x0000000000000000-mapping.dmp
-
memory/2008-90-0x0000000000000000-mapping.dmp