Analysis
-
max time kernel
150s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip1.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip1.exe
-
Size
309KB
-
MD5
13f7d86f390ac912fd0c77ac7ab97c7b
-
SHA1
bb19dd7ff1d34e9ae08589b0f6350319d8a15749
-
SHA256
6fcf7c819d14c864edd0658cc56fd54e6b4af1c642b3d12c0943a0daee3dbaa2
-
SHA512
1d4aae22f204257d401b1b0faf57c65de25740513a33a361c558cbaf9fa7d407df69499d474a7bd33c73ac1e08b0ffc9bcb77177d4abb704520db4ccf6313722
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0/3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Haw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip1.exedescription pid process target process PID 4168 created 2600 4168 64new_cip1.exe Explorer.EXE -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip1.exedescription ioc process File renamed C:\Users\Admin\Pictures\CloseStart.tif => C:\Users\Admin\Pictures\CloseStart.tif.cipher1 64new_cip1.exe File opened for modification C:\Users\Admin\Pictures\DebugConvert.tiff 64new_cip1.exe File renamed C:\Users\Admin\Pictures\DebugConvert.tiff => C:\Users\Admin\Pictures\DebugConvert.tiff.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\ResetResolve.crw => C:\Users\Admin\Pictures\ResetResolve.crw.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\UnblockUndo.png => C:\Users\Admin\Pictures\UnblockUndo.png.cipher1 64new_cip1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip1.exedescription ioc process File opened (read-only) \??\B: 64new_cip1.exe File opened (read-only) \??\H: 64new_cip1.exe File opened (read-only) \??\N: 64new_cip1.exe File opened (read-only) \??\Z: 64new_cip1.exe File opened (read-only) \??\A: 64new_cip1.exe File opened (read-only) \??\G: 64new_cip1.exe File opened (read-only) \??\L: 64new_cip1.exe File opened (read-only) \??\S: 64new_cip1.exe File opened (read-only) \??\T: 64new_cip1.exe File opened (read-only) \??\U: 64new_cip1.exe File opened (read-only) \??\X: 64new_cip1.exe File opened (read-only) \??\Y: 64new_cip1.exe File opened (read-only) \??\F: 64new_cip1.exe File opened (read-only) \??\I: 64new_cip1.exe File opened (read-only) \??\J: 64new_cip1.exe File opened (read-only) \??\V: 64new_cip1.exe File opened (read-only) \??\W: 64new_cip1.exe File opened (read-only) \??\E: 64new_cip1.exe File opened (read-only) \??\K: 64new_cip1.exe File opened (read-only) \??\M: 64new_cip1.exe File opened (read-only) \??\O: 64new_cip1.exe File opened (read-only) \??\P: 64new_cip1.exe File opened (read-only) \??\Q: 64new_cip1.exe File opened (read-only) \??\R: 64new_cip1.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3636 taskkill.exe 5060 taskkill.exe 768 taskkill.exe 1492 taskkill.exe 3652 taskkill.exe 3020 taskkill.exe 1180 taskkill.exe 4356 taskkill.exe 4920 taskkill.exe 756 taskkill.exe 4232 taskkill.exe 2184 taskkill.exe 1720 taskkill.exe 1248 taskkill.exe 1500 taskkill.exe 5088 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
64new_cip1.exepid process 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe 4168 64new_cip1.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5060 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 4356 taskkill.exe Token: SeDebugPrivilege 768 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 1492 taskkill.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 756 taskkill.exe Token: SeDebugPrivilege 3652 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 3020 taskkill.exe Token: SeDebugPrivilege 4232 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 3636 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4168 wrote to memory of 1444 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1444 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1444 4168 64new_cip1.exe cmd.exe PID 1444 wrote to memory of 4336 1444 cmd.exe cmd.exe PID 1444 wrote to memory of 4336 1444 cmd.exe cmd.exe PID 4168 wrote to memory of 4916 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4916 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4916 4168 64new_cip1.exe cmd.exe PID 4916 wrote to memory of 4012 4916 cmd.exe cmd.exe PID 4916 wrote to memory of 4012 4916 cmd.exe cmd.exe PID 4012 wrote to memory of 5060 4012 cmd.exe taskkill.exe PID 4012 wrote to memory of 5060 4012 cmd.exe taskkill.exe PID 4168 wrote to memory of 1488 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1488 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1488 4168 64new_cip1.exe cmd.exe PID 1488 wrote to memory of 3108 1488 cmd.exe cmd.exe PID 1488 wrote to memory of 3108 1488 cmd.exe cmd.exe PID 3108 wrote to memory of 2184 3108 cmd.exe taskkill.exe PID 3108 wrote to memory of 2184 3108 cmd.exe taskkill.exe PID 4168 wrote to memory of 2192 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 2192 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 2192 4168 64new_cip1.exe cmd.exe PID 2192 wrote to memory of 1000 2192 cmd.exe cmd.exe PID 2192 wrote to memory of 1000 2192 cmd.exe cmd.exe PID 1000 wrote to memory of 4356 1000 cmd.exe taskkill.exe PID 1000 wrote to memory of 4356 1000 cmd.exe taskkill.exe PID 4168 wrote to memory of 4564 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4564 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4564 4168 64new_cip1.exe cmd.exe PID 4564 wrote to memory of 3468 4564 cmd.exe cmd.exe PID 4564 wrote to memory of 3468 4564 cmd.exe cmd.exe PID 3468 wrote to memory of 768 3468 cmd.exe taskkill.exe PID 3468 wrote to memory of 768 3468 cmd.exe taskkill.exe PID 4168 wrote to memory of 4968 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4968 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4968 4168 64new_cip1.exe cmd.exe PID 4968 wrote to memory of 3988 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 3988 4968 cmd.exe cmd.exe PID 3988 wrote to memory of 1720 3988 cmd.exe taskkill.exe PID 3988 wrote to memory of 1720 3988 cmd.exe taskkill.exe PID 4168 wrote to memory of 2800 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 2800 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 2800 4168 64new_cip1.exe cmd.exe PID 2800 wrote to memory of 1688 2800 cmd.exe cmd.exe PID 2800 wrote to memory of 1688 2800 cmd.exe cmd.exe PID 1688 wrote to memory of 1492 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 1492 1688 cmd.exe taskkill.exe PID 4168 wrote to memory of 1036 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1036 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 1036 4168 64new_cip1.exe cmd.exe PID 1036 wrote to memory of 4596 1036 cmd.exe cmd.exe PID 1036 wrote to memory of 4596 1036 cmd.exe cmd.exe PID 4596 wrote to memory of 4920 4596 cmd.exe taskkill.exe PID 4596 wrote to memory of 4920 4596 cmd.exe taskkill.exe PID 4168 wrote to memory of 4548 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4548 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 4548 4168 64new_cip1.exe cmd.exe PID 4548 wrote to memory of 804 4548 cmd.exe cmd.exe PID 4548 wrote to memory of 804 4548 cmd.exe cmd.exe PID 804 wrote to memory of 756 804 cmd.exe taskkill.exe PID 804 wrote to memory of 756 804 cmd.exe taskkill.exe PID 4168 wrote to memory of 728 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 728 4168 64new_cip1.exe cmd.exe PID 4168 wrote to memory of 728 4168 64new_cip1.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip1.exe64new_cip1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip1.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-162-0x0000000000000000-mapping.dmp
-
memory/728-158-0x0000000000000000-mapping.dmp
-
memory/756-157-0x0000000000000000-mapping.dmp
-
memory/768-145-0x0000000000000000-mapping.dmp
-
memory/804-156-0x0000000000000000-mapping.dmp
-
memory/816-178-0x0000000000000000-mapping.dmp
-
memory/864-183-0x0000000000000000-mapping.dmp
-
memory/1000-141-0x0000000000000000-mapping.dmp
-
memory/1036-152-0x0000000000000000-mapping.dmp
-
memory/1124-189-0x0000000000000000-mapping.dmp
-
memory/1180-174-0x0000000000000000-mapping.dmp
-
memory/1248-163-0x0000000000000000-mapping.dmp
-
memory/1280-193-0x0000000000000000-mapping.dmp
-
memory/1288-184-0x0000000000000000-mapping.dmp
-
memory/1444-132-0x0000000000000000-mapping.dmp
-
memory/1488-137-0x0000000000000000-mapping.dmp
-
memory/1492-151-0x0000000000000000-mapping.dmp
-
memory/1688-150-0x0000000000000000-mapping.dmp
-
memory/1720-148-0x0000000000000000-mapping.dmp
-
memory/1868-188-0x0000000000000000-mapping.dmp
-
memory/1980-164-0x0000000000000000-mapping.dmp
-
memory/2028-182-0x0000000000000000-mapping.dmp
-
memory/2180-172-0x0000000000000000-mapping.dmp
-
memory/2184-139-0x0000000000000000-mapping.dmp
-
memory/2192-140-0x0000000000000000-mapping.dmp
-
memory/2224-192-0x0000000000000000-mapping.dmp
-
memory/2384-194-0x0000000000000000-mapping.dmp
-
memory/2412-195-0x0000000000000000-mapping.dmp
-
memory/2648-191-0x0000000000000000-mapping.dmp
-
memory/2684-190-0x0000000000000000-mapping.dmp
-
memory/2800-149-0x0000000000000000-mapping.dmp
-
memory/3020-166-0x0000000000000000-mapping.dmp
-
memory/3068-170-0x0000000000000000-mapping.dmp
-
memory/3092-187-0x0000000000000000-mapping.dmp
-
memory/3108-138-0x0000000000000000-mapping.dmp
-
memory/3468-144-0x0000000000000000-mapping.dmp
-
memory/3500-179-0x0000000000000000-mapping.dmp
-
memory/3576-181-0x0000000000000000-mapping.dmp
-
memory/3588-159-0x0000000000000000-mapping.dmp
-
memory/3636-180-0x0000000000000000-mapping.dmp
-
memory/3652-160-0x0000000000000000-mapping.dmp
-
memory/3740-186-0x0000000000000000-mapping.dmp
-
memory/3780-167-0x0000000000000000-mapping.dmp
-
memory/3916-165-0x0000000000000000-mapping.dmp
-
memory/3988-147-0x0000000000000000-mapping.dmp
-
memory/4012-135-0x0000000000000000-mapping.dmp
-
memory/4016-185-0x0000000000000000-mapping.dmp
-
memory/4232-169-0x0000000000000000-mapping.dmp
-
memory/4320-176-0x0000000000000000-mapping.dmp
-
memory/4336-133-0x0000000000000000-mapping.dmp
-
memory/4336-175-0x0000000000000000-mapping.dmp
-
memory/4356-142-0x0000000000000000-mapping.dmp
-
memory/4524-173-0x0000000000000000-mapping.dmp
-
memory/4548-155-0x0000000000000000-mapping.dmp
-
memory/4564-143-0x0000000000000000-mapping.dmp
-
memory/4596-153-0x0000000000000000-mapping.dmp
-
memory/4628-161-0x0000000000000000-mapping.dmp
-
memory/4848-168-0x0000000000000000-mapping.dmp
-
memory/4916-134-0x0000000000000000-mapping.dmp
-
memory/4920-154-0x0000000000000000-mapping.dmp
-
memory/4944-171-0x0000000000000000-mapping.dmp
-
memory/4968-146-0x0000000000000000-mapping.dmp
-
memory/5060-136-0x0000000000000000-mapping.dmp
-
memory/5088-177-0x0000000000000000-mapping.dmp