Analysis
-
max time kernel
115s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip1.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip1.exe
-
Size
309KB
-
MD5
13f7d86f390ac912fd0c77ac7ab97c7b
-
SHA1
bb19dd7ff1d34e9ae08589b0f6350319d8a15749
-
SHA256
6fcf7c819d14c864edd0658cc56fd54e6b4af1c642b3d12c0943a0daee3dbaa2
-
SHA512
1d4aae22f204257d401b1b0faf57c65de25740513a33a361c558cbaf9fa7d407df69499d474a7bd33c73ac1e08b0ffc9bcb77177d4abb704520db4ccf6313722
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0/3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Haw7c
Malware Config
Extracted
\??\A:\Boot\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip1.exedescription pid process target process PID 1476 created 1380 1476 64new_cip1.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip1.exedescription ioc process File renamed C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.cipher1 64new_cip1.exe File opened for modification C:\Users\Admin\Pictures\ConvertToRequest.tiff 64new_cip1.exe File renamed C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.cipher1 64new_cip1.exe File renamed C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.cipher1 64new_cip1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip1.exedescription ioc process File opened (read-only) \??\F: 64new_cip1.exe File opened (read-only) \??\G: 64new_cip1.exe File opened (read-only) \??\L: 64new_cip1.exe File opened (read-only) \??\Q: 64new_cip1.exe File opened (read-only) \??\V: 64new_cip1.exe File opened (read-only) \??\X: 64new_cip1.exe File opened (read-only) \??\E: 64new_cip1.exe File opened (read-only) \??\S: 64new_cip1.exe File opened (read-only) \??\U: 64new_cip1.exe File opened (read-only) \??\R: 64new_cip1.exe File opened (read-only) \??\I: 64new_cip1.exe File opened (read-only) \??\J: 64new_cip1.exe File opened (read-only) \??\K: 64new_cip1.exe File opened (read-only) \??\N: 64new_cip1.exe File opened (read-only) \??\T: 64new_cip1.exe File opened (read-only) \??\W: 64new_cip1.exe File opened (read-only) \??\Y: 64new_cip1.exe File opened (read-only) \??\B: 64new_cip1.exe File opened (read-only) \??\Z: 64new_cip1.exe File opened (read-only) \??\H: 64new_cip1.exe File opened (read-only) \??\M: 64new_cip1.exe File opened (read-only) \??\O: 64new_cip1.exe File opened (read-only) \??\P: 64new_cip1.exe File opened (read-only) \??\A: 64new_cip1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1396 1380 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1740 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 296 taskkill.exe 1588 taskkill.exe 1164 taskkill.exe 556 taskkill.exe 676 taskkill.exe 732 taskkill.exe 2036 taskkill.exe 1860 taskkill.exe 1296 taskkill.exe 1484 taskkill.exe 1132 taskkill.exe 556 taskkill.exe 816 taskkill.exe 1632 taskkill.exe 1872 taskkill.exe 1060 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip1.exepid process 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe 1476 64new_cip1.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 296 taskkill.exe Token: SeDebugPrivilege 816 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 1164 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 676 taskkill.exe Token: SeDebugPrivilege 732 taskkill.exe Token: SeDebugPrivilege 1132 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeBackupPrivilege 1744 vssvc.exe Token: SeRestorePrivilege 1744 vssvc.exe Token: SeAuditPrivilege 1744 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1476 wrote to memory of 1104 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1104 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1104 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1104 1476 64new_cip1.exe cmd.exe PID 1104 wrote to memory of 1288 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 1288 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 1288 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 1288 1104 cmd.exe cmd.exe PID 1476 wrote to memory of 1800 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1800 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1800 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1800 1476 64new_cip1.exe cmd.exe PID 1800 wrote to memory of 1516 1800 cmd.exe cmd.exe PID 1800 wrote to memory of 1516 1800 cmd.exe cmd.exe PID 1800 wrote to memory of 1516 1800 cmd.exe cmd.exe PID 1800 wrote to memory of 1516 1800 cmd.exe cmd.exe PID 1516 wrote to memory of 2036 1516 cmd.exe taskkill.exe PID 1516 wrote to memory of 2036 1516 cmd.exe taskkill.exe PID 1516 wrote to memory of 2036 1516 cmd.exe taskkill.exe PID 1476 wrote to memory of 580 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 580 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 580 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 580 1476 64new_cip1.exe cmd.exe PID 580 wrote to memory of 1068 580 cmd.exe cmd.exe PID 580 wrote to memory of 1068 580 cmd.exe cmd.exe PID 580 wrote to memory of 1068 580 cmd.exe cmd.exe PID 580 wrote to memory of 1068 580 cmd.exe cmd.exe PID 1068 wrote to memory of 1872 1068 cmd.exe taskkill.exe PID 1068 wrote to memory of 1872 1068 cmd.exe taskkill.exe PID 1068 wrote to memory of 1872 1068 cmd.exe taskkill.exe PID 1476 wrote to memory of 808 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 808 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 808 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 808 1476 64new_cip1.exe cmd.exe PID 808 wrote to memory of 848 808 cmd.exe cmd.exe PID 808 wrote to memory of 848 808 cmd.exe cmd.exe PID 808 wrote to memory of 848 808 cmd.exe cmd.exe PID 808 wrote to memory of 848 808 cmd.exe cmd.exe PID 848 wrote to memory of 556 848 cmd.exe taskkill.exe PID 848 wrote to memory of 556 848 cmd.exe taskkill.exe PID 848 wrote to memory of 556 848 cmd.exe taskkill.exe PID 1476 wrote to memory of 1964 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1964 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1964 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1964 1476 64new_cip1.exe cmd.exe PID 1964 wrote to memory of 1448 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 1448 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 1448 1964 cmd.exe cmd.exe PID 1964 wrote to memory of 1448 1964 cmd.exe cmd.exe PID 1448 wrote to memory of 296 1448 cmd.exe taskkill.exe PID 1448 wrote to memory of 296 1448 cmd.exe taskkill.exe PID 1448 wrote to memory of 296 1448 cmd.exe taskkill.exe PID 1476 wrote to memory of 1968 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1968 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1968 1476 64new_cip1.exe cmd.exe PID 1476 wrote to memory of 1968 1476 64new_cip1.exe cmd.exe PID 1968 wrote to memory of 1728 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1728 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1728 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1728 1968 cmd.exe cmd.exe PID 1728 wrote to memory of 816 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 816 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 816 1728 cmd.exe taskkill.exe PID 1476 wrote to memory of 428 1476 64new_cip1.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip1.exe64new_cip1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip1.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip1.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1380 -s 5922⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/296-68-0x0000000000000000-mapping.dmp
-
memory/308-96-0x0000000000000000-mapping.dmp
-
memory/428-72-0x0000000000000000-mapping.dmp
-
memory/556-65-0x0000000000000000-mapping.dmp
-
memory/556-89-0x0000000000000000-mapping.dmp
-
memory/556-116-0x0000000000000000-mapping.dmp
-
memory/580-110-0x0000000000000000-mapping.dmp
-
memory/580-60-0x0000000000000000-mapping.dmp
-
memory/676-95-0x0000000000000000-mapping.dmp
-
memory/732-98-0x0000000000000000-mapping.dmp
-
memory/808-63-0x0000000000000000-mapping.dmp
-
memory/816-71-0x0000000000000000-mapping.dmp
-
memory/848-88-0x0000000000000000-mapping.dmp
-
memory/848-64-0x0000000000000000-mapping.dmp
-
memory/896-117-0x0000000000000000-mapping.dmp
-
memory/904-81-0x0000000000000000-mapping.dmp
-
memory/940-107-0x0000000000000000-mapping.dmp
-
memory/996-97-0x0000000000000000-mapping.dmp
-
memory/996-73-0x0000000000000000-mapping.dmp
-
memory/1020-108-0x0000000000000000-mapping.dmp
-
memory/1060-83-0x0000000000000000-mapping.dmp
-
memory/1068-61-0x0000000000000000-mapping.dmp
-
memory/1068-85-0x0000000000000000-mapping.dmp
-
memory/1104-55-0x0000000000000000-mapping.dmp
-
memory/1120-76-0x0000000000000000-mapping.dmp
-
memory/1120-100-0x0000000000000000-mapping.dmp
-
memory/1132-101-0x0000000000000000-mapping.dmp
-
memory/1164-80-0x0000000000000000-mapping.dmp
-
memory/1288-56-0x0000000000000000-mapping.dmp
-
memory/1296-77-0x0000000000000000-mapping.dmp
-
memory/1344-84-0x0000000000000000-mapping.dmp
-
memory/1348-118-0x0000000000000000-mapping.dmp
-
memory/1396-105-0x0000000000000000-mapping.dmp
-
memory/1448-91-0x0000000000000000-mapping.dmp
-
memory/1448-67-0x0000000000000000-mapping.dmp
-
memory/1464-111-0x0000000000000000-mapping.dmp
-
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/1484-92-0x0000000000000000-mapping.dmp
-
memory/1516-106-0x0000000000000000-mapping.dmp
-
memory/1516-82-0x0000000000000000-mapping.dmp
-
memory/1516-58-0x0000000000000000-mapping.dmp
-
memory/1532-114-0x0000000000000000-mapping.dmp
-
memory/1540-93-0x0000000000000000-mapping.dmp
-
memory/1588-86-0x0000000000000000-mapping.dmp
-
memory/1604-99-0x0000000000000000-mapping.dmp
-
memory/1632-104-0x0000000000000000-mapping.dmp
-
memory/1660-115-0x0000000000000000-mapping.dmp
-
memory/1696-112-0x0000000000000000-mapping.dmp
-
memory/1728-70-0x0000000000000000-mapping.dmp
-
memory/1728-94-0x0000000000000000-mapping.dmp
-
memory/1752-75-0x0000000000000000-mapping.dmp
-
memory/1768-78-0x0000000000000000-mapping.dmp
-
memory/1800-57-0x0000000000000000-mapping.dmp
-
memory/1860-74-0x0000000000000000-mapping.dmp
-
memory/1872-62-0x0000000000000000-mapping.dmp
-
memory/1872-109-0x0000000000000000-mapping.dmp
-
memory/1960-87-0x0000000000000000-mapping.dmp
-
memory/1964-66-0x0000000000000000-mapping.dmp
-
memory/1968-69-0x0000000000000000-mapping.dmp
-
memory/1984-90-0x0000000000000000-mapping.dmp
-
memory/2004-113-0x0000000000000000-mapping.dmp
-
memory/2024-79-0x0000000000000000-mapping.dmp
-
memory/2024-103-0x0000000000000000-mapping.dmp
-
memory/2036-59-0x0000000000000000-mapping.dmp
-
memory/2044-102-0x0000000000000000-mapping.dmp