Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip4.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip4.exe
-
Size
309KB
-
MD5
0b69c52d88d2c047bf176d59b2f9ce4c
-
SHA1
43a770e0f2fe02b606f37c29d8dd81d57ce233b8
-
SHA256
4e388c10feaa2c897a5c7816eb899b314b4a5cd4342d9a1a5f1800623153e890
-
SHA512
7514371f10bbaf9e7db698347741ae66770d4ed1a2ad43fbb8f86d0ee13e54d652fd16b7410462e040cbeda19a7224af4431207dc0a197102ba00553639c4f72
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0I3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3oaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip4.exedescription pid process target process PID 644 created 2532 644 64new_cip4.exe Explorer.EXE -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip4.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointEnable.tif => C:\Users\Admin\Pictures\CheckpointEnable.tif.cipher4 64new_cip4.exe File renamed C:\Users\Admin\Pictures\ExitSuspend.png => C:\Users\Admin\Pictures\ExitSuspend.png.cipher4 64new_cip4.exe File renamed C:\Users\Admin\Pictures\SplitSearch.raw => C:\Users\Admin\Pictures\SplitSearch.raw.cipher4 64new_cip4.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip4.exedescription ioc process File opened (read-only) \??\T: 64new_cip4.exe File opened (read-only) \??\U: 64new_cip4.exe File opened (read-only) \??\F: 64new_cip4.exe File opened (read-only) \??\H: 64new_cip4.exe File opened (read-only) \??\O: 64new_cip4.exe File opened (read-only) \??\P: 64new_cip4.exe File opened (read-only) \??\M: 64new_cip4.exe File opened (read-only) \??\Q: 64new_cip4.exe File opened (read-only) \??\R: 64new_cip4.exe File opened (read-only) \??\Y: 64new_cip4.exe File opened (read-only) \??\K: 64new_cip4.exe File opened (read-only) \??\S: 64new_cip4.exe File opened (read-only) \??\Z: 64new_cip4.exe File opened (read-only) \??\B: 64new_cip4.exe File opened (read-only) \??\G: 64new_cip4.exe File opened (read-only) \??\I: 64new_cip4.exe File opened (read-only) \??\J: 64new_cip4.exe File opened (read-only) \??\V: 64new_cip4.exe File opened (read-only) \??\W: 64new_cip4.exe File opened (read-only) \??\X: 64new_cip4.exe File opened (read-only) \??\A: 64new_cip4.exe File opened (read-only) \??\E: 64new_cip4.exe File opened (read-only) \??\L: 64new_cip4.exe File opened (read-only) \??\N: 64new_cip4.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4756 taskkill.exe 3576 taskkill.exe 428 taskkill.exe 4320 taskkill.exe 2216 taskkill.exe 3872 taskkill.exe 3920 taskkill.exe 4308 taskkill.exe 2116 taskkill.exe 888 taskkill.exe 3732 taskkill.exe 2976 taskkill.exe 2192 taskkill.exe 4988 taskkill.exe 1820 taskkill.exe 1320 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
64new_cip4.exepid process 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe 644 64new_cip4.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3872 taskkill.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 3920 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 4988 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 428 taskkill.exe Token: SeDebugPrivilege 4320 taskkill.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 888 taskkill.exe Token: SeDebugPrivilege 2216 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe Token: SeDebugPrivilege 3732 taskkill.exe Token: SeDebugPrivilege 2976 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip4.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 644 wrote to memory of 5100 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 5100 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 5100 644 64new_cip4.exe cmd.exe PID 5100 wrote to memory of 4284 5100 cmd.exe cmd.exe PID 5100 wrote to memory of 4284 5100 cmd.exe cmd.exe PID 644 wrote to memory of 4516 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4516 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4516 644 64new_cip4.exe cmd.exe PID 4516 wrote to memory of 2488 4516 cmd.exe cmd.exe PID 4516 wrote to memory of 2488 4516 cmd.exe cmd.exe PID 2488 wrote to memory of 3872 2488 cmd.exe taskkill.exe PID 2488 wrote to memory of 3872 2488 cmd.exe taskkill.exe PID 644 wrote to memory of 3756 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3756 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3756 644 64new_cip4.exe cmd.exe PID 3756 wrote to memory of 3916 3756 cmd.exe cmd.exe PID 3756 wrote to memory of 3916 3756 cmd.exe cmd.exe PID 3916 wrote to memory of 2192 3916 cmd.exe taskkill.exe PID 3916 wrote to memory of 2192 3916 cmd.exe taskkill.exe PID 644 wrote to memory of 3996 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3996 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3996 644 64new_cip4.exe cmd.exe PID 3996 wrote to memory of 3036 3996 cmd.exe cmd.exe PID 3996 wrote to memory of 3036 3996 cmd.exe cmd.exe PID 3036 wrote to memory of 3920 3036 cmd.exe taskkill.exe PID 3036 wrote to memory of 3920 3036 cmd.exe taskkill.exe PID 644 wrote to memory of 1104 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 1104 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 1104 644 64new_cip4.exe cmd.exe PID 1104 wrote to memory of 4860 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 4860 1104 cmd.exe cmd.exe PID 4860 wrote to memory of 4756 4860 cmd.exe taskkill.exe PID 4860 wrote to memory of 4756 4860 cmd.exe taskkill.exe PID 644 wrote to memory of 3616 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3616 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3616 644 64new_cip4.exe cmd.exe PID 3616 wrote to memory of 1828 3616 cmd.exe cmd.exe PID 3616 wrote to memory of 1828 3616 cmd.exe cmd.exe PID 1828 wrote to memory of 4988 1828 cmd.exe taskkill.exe PID 1828 wrote to memory of 4988 1828 cmd.exe taskkill.exe PID 644 wrote to memory of 4820 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4820 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4820 644 64new_cip4.exe cmd.exe PID 4820 wrote to memory of 4464 4820 cmd.exe cmd.exe PID 4820 wrote to memory of 4464 4820 cmd.exe cmd.exe PID 4464 wrote to memory of 3576 4464 cmd.exe taskkill.exe PID 4464 wrote to memory of 3576 4464 cmd.exe taskkill.exe PID 644 wrote to memory of 4136 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4136 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 4136 644 64new_cip4.exe cmd.exe PID 4136 wrote to memory of 312 4136 cmd.exe cmd.exe PID 4136 wrote to memory of 312 4136 cmd.exe cmd.exe PID 312 wrote to memory of 428 312 cmd.exe taskkill.exe PID 312 wrote to memory of 428 312 cmd.exe taskkill.exe PID 644 wrote to memory of 1004 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 1004 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 1004 644 64new_cip4.exe cmd.exe PID 1004 wrote to memory of 1460 1004 cmd.exe cmd.exe PID 1004 wrote to memory of 1460 1004 cmd.exe cmd.exe PID 1460 wrote to memory of 4320 1460 cmd.exe taskkill.exe PID 1460 wrote to memory of 4320 1460 cmd.exe taskkill.exe PID 644 wrote to memory of 3340 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3340 644 64new_cip4.exe cmd.exe PID 644 wrote to memory of 3340 644 64new_cip4.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip4.exe64new_cip4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip4.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/312-153-0x0000000000000000-mapping.dmp
-
memory/428-154-0x0000000000000000-mapping.dmp
-
memory/792-186-0x0000000000000000-mapping.dmp
-
memory/888-166-0x0000000000000000-mapping.dmp
-
memory/1004-155-0x0000000000000000-mapping.dmp
-
memory/1104-143-0x0000000000000000-mapping.dmp
-
memory/1108-180-0x0000000000000000-mapping.dmp
-
memory/1320-175-0x0000000000000000-mapping.dmp
-
memory/1460-156-0x0000000000000000-mapping.dmp
-
memory/1608-173-0x0000000000000000-mapping.dmp
-
memory/1612-174-0x0000000000000000-mapping.dmp
-
memory/1820-163-0x0000000000000000-mapping.dmp
-
memory/1828-147-0x0000000000000000-mapping.dmp
-
memory/1996-182-0x0000000000000000-mapping.dmp
-
memory/2116-172-0x0000000000000000-mapping.dmp
-
memory/2140-171-0x0000000000000000-mapping.dmp
-
memory/2192-139-0x0000000000000000-mapping.dmp
-
memory/2192-179-0x0000000000000000-mapping.dmp
-
memory/2216-169-0x0000000000000000-mapping.dmp
-
memory/2488-135-0x0000000000000000-mapping.dmp
-
memory/2520-168-0x0000000000000000-mapping.dmp
-
memory/2676-164-0x0000000000000000-mapping.dmp
-
memory/2716-185-0x0000000000000000-mapping.dmp
-
memory/2976-181-0x0000000000000000-mapping.dmp
-
memory/3036-141-0x0000000000000000-mapping.dmp
-
memory/3052-161-0x0000000000000000-mapping.dmp
-
memory/3060-187-0x0000000000000000-mapping.dmp
-
memory/3084-162-0x0000000000000000-mapping.dmp
-
memory/3112-193-0x0000000000000000-mapping.dmp
-
memory/3232-194-0x0000000000000000-mapping.dmp
-
memory/3340-158-0x0000000000000000-mapping.dmp
-
memory/3388-167-0x0000000000000000-mapping.dmp
-
memory/3576-151-0x0000000000000000-mapping.dmp
-
memory/3616-189-0x0000000000000000-mapping.dmp
-
memory/3616-146-0x0000000000000000-mapping.dmp
-
memory/3668-184-0x0000000000000000-mapping.dmp
-
memory/3692-159-0x0000000000000000-mapping.dmp
-
memory/3732-178-0x0000000000000000-mapping.dmp
-
memory/3756-137-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/3872-176-0x0000000000000000-mapping.dmp
-
memory/3912-188-0x0000000000000000-mapping.dmp
-
memory/3916-138-0x0000000000000000-mapping.dmp
-
memory/3920-142-0x0000000000000000-mapping.dmp
-
memory/3996-140-0x0000000000000000-mapping.dmp
-
memory/4024-170-0x0000000000000000-mapping.dmp
-
memory/4048-190-0x0000000000000000-mapping.dmp
-
memory/4136-152-0x0000000000000000-mapping.dmp
-
memory/4280-165-0x0000000000000000-mapping.dmp
-
memory/4284-133-0x0000000000000000-mapping.dmp
-
memory/4308-160-0x0000000000000000-mapping.dmp
-
memory/4320-157-0x0000000000000000-mapping.dmp
-
memory/4464-150-0x0000000000000000-mapping.dmp
-
memory/4516-134-0x0000000000000000-mapping.dmp
-
memory/4680-177-0x0000000000000000-mapping.dmp
-
memory/4756-145-0x0000000000000000-mapping.dmp
-
memory/4820-149-0x0000000000000000-mapping.dmp
-
memory/4820-192-0x0000000000000000-mapping.dmp
-
memory/4860-144-0x0000000000000000-mapping.dmp
-
memory/4868-191-0x0000000000000000-mapping.dmp
-
memory/4976-195-0x0000000000000000-mapping.dmp
-
memory/4988-148-0x0000000000000000-mapping.dmp
-
memory/5016-183-0x0000000000000000-mapping.dmp
-
memory/5100-132-0x0000000000000000-mapping.dmp