Analysis
-
max time kernel
152s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
64new_cip2.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip2.exe
-
Size
309KB
-
MD5
0baa60f8c2818424c9a9c1f3cfc42aad
-
SHA1
575052a2196cd8f6d3c5b1955fbf5a93dc9b53f9
-
SHA256
11b4f023c60e07c179521db3198e3bb66b00bd2bad889344fc4f9cfb5d0f43a9
-
SHA512
fdc3ab1ee482336f558f26cd56cf748fce7508c73f32a90c7aab041ea4dbcd1b5bc36dc222642757f77eb677cc3f3b2383ce66e287db092bb5d40e1bf5be393c
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l063WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Saw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip2.exedescription pid process target process PID 1180 created 2708 1180 64new_cip2.exe Explorer.EXE -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip2.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddStop.crw => C:\Users\Admin\Pictures\AddStop.crw.cipher2 64new_cip2.exe File renamed C:\Users\Admin\Pictures\UpdateReset.png => C:\Users\Admin\Pictures\UpdateReset.png.cipher2 64new_cip2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip2.exedescription ioc process File opened (read-only) \??\H: 64new_cip2.exe File opened (read-only) \??\K: 64new_cip2.exe File opened (read-only) \??\R: 64new_cip2.exe File opened (read-only) \??\T: 64new_cip2.exe File opened (read-only) \??\F: 64new_cip2.exe File opened (read-only) \??\G: 64new_cip2.exe File opened (read-only) \??\O: 64new_cip2.exe File opened (read-only) \??\V: 64new_cip2.exe File opened (read-only) \??\X: 64new_cip2.exe File opened (read-only) \??\B: 64new_cip2.exe File opened (read-only) \??\L: 64new_cip2.exe File opened (read-only) \??\N: 64new_cip2.exe File opened (read-only) \??\Q: 64new_cip2.exe File opened (read-only) \??\U: 64new_cip2.exe File opened (read-only) \??\W: 64new_cip2.exe File opened (read-only) \??\Y: 64new_cip2.exe File opened (read-only) \??\Z: 64new_cip2.exe File opened (read-only) \??\E: 64new_cip2.exe File opened (read-only) \??\I: 64new_cip2.exe File opened (read-only) \??\J: 64new_cip2.exe File opened (read-only) \??\M: 64new_cip2.exe File opened (read-only) \??\P: 64new_cip2.exe File opened (read-only) \??\S: 64new_cip2.exe File opened (read-only) \??\A: 64new_cip2.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3520 taskkill.exe 1136 taskkill.exe 544 taskkill.exe 3360 taskkill.exe 3588 taskkill.exe 3028 taskkill.exe 2008 taskkill.exe 4800 taskkill.exe 4712 taskkill.exe 1000 taskkill.exe 3564 taskkill.exe 4836 taskkill.exe 4908 taskkill.exe 4716 taskkill.exe 588 taskkill.exe 3572 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
64new_cip2.exepid process 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe 1180 64new_cip2.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3520 taskkill.exe Token: SeDebugPrivilege 4716 taskkill.exe Token: SeDebugPrivilege 588 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 544 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeDebugPrivilege 3564 taskkill.exe Token: SeDebugPrivilege 3588 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 4800 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 4836 taskkill.exe Token: SeDebugPrivilege 4908 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1180 wrote to memory of 1924 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1924 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1924 1180 64new_cip2.exe cmd.exe PID 1924 wrote to memory of 1380 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1380 1924 cmd.exe cmd.exe PID 1180 wrote to memory of 1012 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1012 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1012 1180 64new_cip2.exe cmd.exe PID 1012 wrote to memory of 5016 1012 cmd.exe cmd.exe PID 1012 wrote to memory of 5016 1012 cmd.exe cmd.exe PID 5016 wrote to memory of 3520 5016 cmd.exe taskkill.exe PID 5016 wrote to memory of 3520 5016 cmd.exe taskkill.exe PID 1180 wrote to memory of 4884 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 4884 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 4884 1180 64new_cip2.exe cmd.exe PID 4884 wrote to memory of 1828 4884 cmd.exe cmd.exe PID 4884 wrote to memory of 1828 4884 cmd.exe cmd.exe PID 1828 wrote to memory of 4716 1828 cmd.exe taskkill.exe PID 1828 wrote to memory of 4716 1828 cmd.exe taskkill.exe PID 1180 wrote to memory of 1660 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1660 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1660 1180 64new_cip2.exe cmd.exe PID 1660 wrote to memory of 2612 1660 cmd.exe cmd.exe PID 1660 wrote to memory of 2612 1660 cmd.exe cmd.exe PID 2612 wrote to memory of 588 2612 cmd.exe taskkill.exe PID 2612 wrote to memory of 588 2612 cmd.exe taskkill.exe PID 1180 wrote to memory of 3080 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3080 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3080 1180 64new_cip2.exe cmd.exe PID 3080 wrote to memory of 932 3080 cmd.exe cmd.exe PID 3080 wrote to memory of 932 3080 cmd.exe cmd.exe PID 932 wrote to memory of 3572 932 cmd.exe taskkill.exe PID 932 wrote to memory of 3572 932 cmd.exe taskkill.exe PID 1180 wrote to memory of 3068 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3068 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3068 1180 64new_cip2.exe cmd.exe PID 3068 wrote to memory of 1152 3068 cmd.exe cmd.exe PID 3068 wrote to memory of 1152 3068 cmd.exe cmd.exe PID 1152 wrote to memory of 4712 1152 cmd.exe taskkill.exe PID 1152 wrote to memory of 4712 1152 cmd.exe taskkill.exe PID 1180 wrote to memory of 2360 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 2360 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 2360 1180 64new_cip2.exe cmd.exe PID 2360 wrote to memory of 4336 2360 cmd.exe cmd.exe PID 2360 wrote to memory of 4336 2360 cmd.exe cmd.exe PID 4336 wrote to memory of 1136 4336 cmd.exe taskkill.exe PID 4336 wrote to memory of 1136 4336 cmd.exe taskkill.exe PID 1180 wrote to memory of 1964 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1964 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1964 1180 64new_cip2.exe cmd.exe PID 1964 wrote to memory of 1392 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 1392 1964 cmd.exe cmd.exe PID 1392 wrote to memory of 544 1392 cmd.exe taskkill.exe PID 1392 wrote to memory of 544 1392 cmd.exe taskkill.exe PID 1180 wrote to memory of 3048 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3048 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 3048 1180 64new_cip2.exe cmd.exe PID 3048 wrote to memory of 2264 3048 cmd.exe cmd.exe PID 3048 wrote to memory of 2264 3048 cmd.exe cmd.exe PID 2264 wrote to memory of 1000 2264 cmd.exe taskkill.exe PID 2264 wrote to memory of 1000 2264 cmd.exe taskkill.exe PID 1180 wrote to memory of 1080 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1080 1180 64new_cip2.exe cmd.exe PID 1180 wrote to memory of 1080 1180 64new_cip2.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip2.exe64new_cip2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip2.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-154-0x0000000000000000-mapping.dmp
-
memory/588-142-0x0000000000000000-mapping.dmp
-
memory/712-177-0x0000000000000000-mapping.dmp
-
memory/800-162-0x0000000000000000-mapping.dmp
-
memory/932-144-0x0000000000000000-mapping.dmp
-
memory/1000-157-0x0000000000000000-mapping.dmp
-
memory/1012-134-0x0000000000000000-mapping.dmp
-
memory/1080-158-0x0000000000000000-mapping.dmp
-
memory/1104-186-0x0000000000000000-mapping.dmp
-
memory/1136-151-0x0000000000000000-mapping.dmp
-
memory/1152-147-0x0000000000000000-mapping.dmp
-
memory/1248-176-0x0000000000000000-mapping.dmp
-
memory/1380-133-0x0000000000000000-mapping.dmp
-
memory/1384-193-0x0000000000000000-mapping.dmp
-
memory/1392-153-0x0000000000000000-mapping.dmp
-
memory/1500-165-0x0000000000000000-mapping.dmp
-
memory/1504-195-0x0000000000000000-mapping.dmp
-
memory/1592-159-0x0000000000000000-mapping.dmp
-
memory/1660-140-0x0000000000000000-mapping.dmp
-
memory/1796-187-0x0000000000000000-mapping.dmp
-
memory/1828-138-0x0000000000000000-mapping.dmp
-
memory/1832-164-0x0000000000000000-mapping.dmp
-
memory/1924-132-0x0000000000000000-mapping.dmp
-
memory/1964-152-0x0000000000000000-mapping.dmp
-
memory/2008-172-0x0000000000000000-mapping.dmp
-
memory/2264-156-0x0000000000000000-mapping.dmp
-
memory/2272-192-0x0000000000000000-mapping.dmp
-
memory/2276-184-0x0000000000000000-mapping.dmp
-
memory/2288-189-0x0000000000000000-mapping.dmp
-
memory/2360-149-0x0000000000000000-mapping.dmp
-
memory/2532-168-0x0000000000000000-mapping.dmp
-
memory/2612-141-0x0000000000000000-mapping.dmp
-
memory/2660-194-0x0000000000000000-mapping.dmp
-
memory/2688-185-0x0000000000000000-mapping.dmp
-
memory/3028-166-0x0000000000000000-mapping.dmp
-
memory/3048-155-0x0000000000000000-mapping.dmp
-
memory/3068-146-0x0000000000000000-mapping.dmp
-
memory/3080-188-0x0000000000000000-mapping.dmp
-
memory/3080-143-0x0000000000000000-mapping.dmp
-
memory/3292-170-0x0000000000000000-mapping.dmp
-
memory/3360-181-0x0000000000000000-mapping.dmp
-
memory/3400-167-0x0000000000000000-mapping.dmp
-
memory/3520-136-0x0000000000000000-mapping.dmp
-
memory/3520-183-0x0000000000000000-mapping.dmp
-
memory/3564-160-0x0000000000000000-mapping.dmp
-
memory/3572-145-0x0000000000000000-mapping.dmp
-
memory/3576-182-0x0000000000000000-mapping.dmp
-
memory/3588-163-0x0000000000000000-mapping.dmp
-
memory/3612-190-0x0000000000000000-mapping.dmp
-
memory/4052-161-0x0000000000000000-mapping.dmp
-
memory/4256-180-0x0000000000000000-mapping.dmp
-
memory/4284-173-0x0000000000000000-mapping.dmp
-
memory/4336-150-0x0000000000000000-mapping.dmp
-
memory/4468-179-0x0000000000000000-mapping.dmp
-
memory/4712-148-0x0000000000000000-mapping.dmp
-
memory/4716-139-0x0000000000000000-mapping.dmp
-
memory/4720-174-0x0000000000000000-mapping.dmp
-
memory/4800-169-0x0000000000000000-mapping.dmp
-
memory/4836-175-0x0000000000000000-mapping.dmp
-
memory/4884-137-0x0000000000000000-mapping.dmp
-
memory/4908-178-0x0000000000000000-mapping.dmp
-
memory/4936-191-0x0000000000000000-mapping.dmp
-
memory/5000-171-0x0000000000000000-mapping.dmp
-
memory/5016-135-0x0000000000000000-mapping.dmp