Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
64new_cip3.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip3.exe
-
Size
309KB
-
MD5
f6bc1b461df6cdd28183fdde78c630d2
-
SHA1
a22826c3d4ad28ef0b6e1971ffb59e65b1412d54
-
SHA256
56e8399a61644e1ec4324caa8a99313d383c667f5296a9ed4f975a41590fe00b
-
SHA512
ce93efbc96c9409aea1f1d9fa2c773ded2e1b1a018a0a8d7993e3560c5a3d9e3696f5edce497a8a3864cc9b7d65f7e122e89e83073686d1ef50a37df902cfca0
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0N3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++39aw7c
Malware Config
Extracted
\??\A:\Boot\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip3.exedescription pid process target process PID 760 created 3040 760 64new_cip3.exe Explorer.EXE -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip3.exedescription ioc process File renamed C:\Users\Admin\Pictures\StepWait.crw => C:\Users\Admin\Pictures\StepWait.crw.cipher3 64new_cip3.exe File renamed C:\Users\Admin\Pictures\SyncEnable.tif => C:\Users\Admin\Pictures\SyncEnable.tif.cipher3 64new_cip3.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip3.exedescription ioc process File opened (read-only) \??\I: 64new_cip3.exe File opened (read-only) \??\K: 64new_cip3.exe File opened (read-only) \??\L: 64new_cip3.exe File opened (read-only) \??\N: 64new_cip3.exe File opened (read-only) \??\Q: 64new_cip3.exe File opened (read-only) \??\Y: 64new_cip3.exe File opened (read-only) \??\A: 64new_cip3.exe File opened (read-only) \??\B: 64new_cip3.exe File opened (read-only) \??\J: 64new_cip3.exe File opened (read-only) \??\S: 64new_cip3.exe File opened (read-only) \??\V: 64new_cip3.exe File opened (read-only) \??\X: 64new_cip3.exe File opened (read-only) \??\Z: 64new_cip3.exe File opened (read-only) \??\F: 64new_cip3.exe File opened (read-only) \??\H: 64new_cip3.exe File opened (read-only) \??\O: 64new_cip3.exe File opened (read-only) \??\P: 64new_cip3.exe File opened (read-only) \??\R: 64new_cip3.exe File opened (read-only) \??\U: 64new_cip3.exe File opened (read-only) \??\E: 64new_cip3.exe File opened (read-only) \??\G: 64new_cip3.exe File opened (read-only) \??\M: 64new_cip3.exe File opened (read-only) \??\T: 64new_cip3.exe File opened (read-only) \??\W: 64new_cip3.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5068 taskkill.exe 3576 taskkill.exe 112 taskkill.exe 4424 taskkill.exe 4624 taskkill.exe 1788 taskkill.exe 64 taskkill.exe 4524 taskkill.exe 972 taskkill.exe 2148 taskkill.exe 4576 taskkill.exe 1780 taskkill.exe 4996 taskkill.exe 4048 taskkill.exe 1800 taskkill.exe 4040 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
64new_cip3.exepid process 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe 760 64new_cip3.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4996 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 4048 taskkill.exe Token: SeDebugPrivilege 112 taskkill.exe Token: SeDebugPrivilege 2148 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 4576 taskkill.exe Token: SeDebugPrivilege 4624 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 64 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 4040 taskkill.exe Token: SeDebugPrivilege 4524 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 760 wrote to memory of 2356 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 2356 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 2356 760 64new_cip3.exe cmd.exe PID 2356 wrote to memory of 1556 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 1556 2356 cmd.exe cmd.exe PID 760 wrote to memory of 2528 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 2528 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 2528 760 64new_cip3.exe cmd.exe PID 2528 wrote to memory of 2068 2528 cmd.exe cmd.exe PID 2528 wrote to memory of 2068 2528 cmd.exe cmd.exe PID 2068 wrote to memory of 4996 2068 cmd.exe taskkill.exe PID 2068 wrote to memory of 4996 2068 cmd.exe taskkill.exe PID 760 wrote to memory of 3176 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 3176 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 3176 760 64new_cip3.exe cmd.exe PID 3176 wrote to memory of 3056 3176 cmd.exe cmd.exe PID 3176 wrote to memory of 3056 3176 cmd.exe cmd.exe PID 3056 wrote to memory of 972 3056 cmd.exe taskkill.exe PID 3056 wrote to memory of 972 3056 cmd.exe taskkill.exe PID 760 wrote to memory of 3804 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 3804 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 3804 760 64new_cip3.exe cmd.exe PID 3804 wrote to memory of 1580 3804 cmd.exe cmd.exe PID 3804 wrote to memory of 1580 3804 cmd.exe cmd.exe PID 1580 wrote to memory of 4048 1580 cmd.exe taskkill.exe PID 1580 wrote to memory of 4048 1580 cmd.exe taskkill.exe PID 760 wrote to memory of 4676 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4676 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4676 760 64new_cip3.exe cmd.exe PID 4676 wrote to memory of 4572 4676 cmd.exe cmd.exe PID 4676 wrote to memory of 4572 4676 cmd.exe cmd.exe PID 4572 wrote to memory of 112 4572 cmd.exe taskkill.exe PID 4572 wrote to memory of 112 4572 cmd.exe taskkill.exe PID 760 wrote to memory of 228 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 228 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 228 760 64new_cip3.exe cmd.exe PID 228 wrote to memory of 4388 228 cmd.exe cmd.exe PID 228 wrote to memory of 4388 228 cmd.exe cmd.exe PID 4388 wrote to memory of 2148 4388 cmd.exe taskkill.exe PID 4388 wrote to memory of 2148 4388 cmd.exe taskkill.exe PID 760 wrote to memory of 4680 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4680 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4680 760 64new_cip3.exe cmd.exe PID 4680 wrote to memory of 4320 4680 cmd.exe cmd.exe PID 4680 wrote to memory of 4320 4680 cmd.exe cmd.exe PID 4320 wrote to memory of 5068 4320 cmd.exe taskkill.exe PID 4320 wrote to memory of 5068 4320 cmd.exe taskkill.exe PID 760 wrote to memory of 4904 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4904 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4904 760 64new_cip3.exe cmd.exe PID 4904 wrote to memory of 4288 4904 cmd.exe cmd.exe PID 4904 wrote to memory of 4288 4904 cmd.exe cmd.exe PID 4288 wrote to memory of 4424 4288 cmd.exe taskkill.exe PID 4288 wrote to memory of 4424 4288 cmd.exe taskkill.exe PID 760 wrote to memory of 1108 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 1108 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 1108 760 64new_cip3.exe cmd.exe PID 1108 wrote to memory of 3228 1108 cmd.exe cmd.exe PID 1108 wrote to memory of 3228 1108 cmd.exe cmd.exe PID 3228 wrote to memory of 4576 3228 cmd.exe taskkill.exe PID 3228 wrote to memory of 4576 3228 cmd.exe taskkill.exe PID 760 wrote to memory of 4588 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4588 760 64new_cip3.exe cmd.exe PID 760 wrote to memory of 4588 760 64new_cip3.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip3.exe64new_cip3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip3.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip3.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-166-0x0000000000000000-mapping.dmp
-
memory/112-145-0x0000000000000000-mapping.dmp
-
memory/204-190-0x0000000000000000-mapping.dmp
-
memory/228-146-0x0000000000000000-mapping.dmp
-
memory/800-162-0x0000000000000000-mapping.dmp
-
memory/872-187-0x0000000000000000-mapping.dmp
-
memory/972-139-0x0000000000000000-mapping.dmp
-
memory/1108-155-0x0000000000000000-mapping.dmp
-
memory/1116-167-0x0000000000000000-mapping.dmp
-
memory/1200-188-0x0000000000000000-mapping.dmp
-
memory/1460-182-0x0000000000000000-mapping.dmp
-
memory/1556-133-0x0000000000000000-mapping.dmp
-
memory/1580-141-0x0000000000000000-mapping.dmp
-
memory/1640-159-0x0000000000000000-mapping.dmp
-
memory/1684-183-0x0000000000000000-mapping.dmp
-
memory/1780-172-0x0000000000000000-mapping.dmp
-
memory/1788-163-0x0000000000000000-mapping.dmp
-
memory/1800-169-0x0000000000000000-mapping.dmp
-
memory/1888-170-0x0000000000000000-mapping.dmp
-
memory/1924-195-0x0000000000000000-mapping.dmp
-
memory/2068-135-0x0000000000000000-mapping.dmp
-
memory/2148-148-0x0000000000000000-mapping.dmp
-
memory/2356-132-0x0000000000000000-mapping.dmp
-
memory/2360-164-0x0000000000000000-mapping.dmp
-
memory/2492-179-0x0000000000000000-mapping.dmp
-
memory/2524-180-0x0000000000000000-mapping.dmp
-
memory/2528-134-0x0000000000000000-mapping.dmp
-
memory/2756-168-0x0000000000000000-mapping.dmp
-
memory/2872-192-0x0000000000000000-mapping.dmp
-
memory/2892-174-0x0000000000000000-mapping.dmp
-
memory/2944-165-0x0000000000000000-mapping.dmp
-
memory/3024-186-0x0000000000000000-mapping.dmp
-
memory/3056-138-0x0000000000000000-mapping.dmp
-
memory/3144-173-0x0000000000000000-mapping.dmp
-
memory/3176-137-0x0000000000000000-mapping.dmp
-
memory/3228-156-0x0000000000000000-mapping.dmp
-
memory/3280-194-0x0000000000000000-mapping.dmp
-
memory/3368-185-0x0000000000000000-mapping.dmp
-
memory/3576-175-0x0000000000000000-mapping.dmp
-
memory/3584-161-0x0000000000000000-mapping.dmp
-
memory/3804-140-0x0000000000000000-mapping.dmp
-
memory/3972-177-0x0000000000000000-mapping.dmp
-
memory/4040-178-0x0000000000000000-mapping.dmp
-
memory/4048-142-0x0000000000000000-mapping.dmp
-
memory/4064-171-0x0000000000000000-mapping.dmp
-
memory/4232-193-0x0000000000000000-mapping.dmp
-
memory/4288-153-0x0000000000000000-mapping.dmp
-
memory/4320-150-0x0000000000000000-mapping.dmp
-
memory/4356-184-0x0000000000000000-mapping.dmp
-
memory/4388-147-0x0000000000000000-mapping.dmp
-
memory/4424-154-0x0000000000000000-mapping.dmp
-
memory/4524-181-0x0000000000000000-mapping.dmp
-
memory/4572-144-0x0000000000000000-mapping.dmp
-
memory/4576-157-0x0000000000000000-mapping.dmp
-
memory/4588-158-0x0000000000000000-mapping.dmp
-
memory/4624-160-0x0000000000000000-mapping.dmp
-
memory/4676-143-0x0000000000000000-mapping.dmp
-
memory/4676-191-0x0000000000000000-mapping.dmp
-
memory/4680-149-0x0000000000000000-mapping.dmp
-
memory/4796-176-0x0000000000000000-mapping.dmp
-
memory/4808-189-0x0000000000000000-mapping.dmp
-
memory/4904-152-0x0000000000000000-mapping.dmp
-
memory/4996-136-0x0000000000000000-mapping.dmp
-
memory/5068-151-0x0000000000000000-mapping.dmp