Analysis
-
max time kernel
116s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
64new_cip2.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip2.exe
-
Size
309KB
-
MD5
0baa60f8c2818424c9a9c1f3cfc42aad
-
SHA1
575052a2196cd8f6d3c5b1955fbf5a93dc9b53f9
-
SHA256
11b4f023c60e07c179521db3198e3bb66b00bd2bad889344fc4f9cfb5d0f43a9
-
SHA512
fdc3ab1ee482336f558f26cd56cf748fce7508c73f32a90c7aab041ea4dbcd1b5bc36dc222642757f77eb677cc3f3b2383ce66e287db092bb5d40e1bf5be393c
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l063WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Saw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip2.exedescription pid process target process PID 1376 created 1240 1376 64new_cip2.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip2.exedescription ioc process File renamed C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.cipher2 64new_cip2.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.cipher2 64new_cip2.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.cipher2 64new_cip2.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.cipher2 64new_cip2.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff 64new_cip2.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.cipher2 64new_cip2.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff 64new_cip2.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.cipher2 64new_cip2.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff 64new_cip2.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.cipher2 64new_cip2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip2.exedescription ioc process File opened (read-only) \??\E: 64new_cip2.exe File opened (read-only) \??\G: 64new_cip2.exe File opened (read-only) \??\K: 64new_cip2.exe File opened (read-only) \??\O: 64new_cip2.exe File opened (read-only) \??\P: 64new_cip2.exe File opened (read-only) \??\U: 64new_cip2.exe File opened (read-only) \??\W: 64new_cip2.exe File opened (read-only) \??\Y: 64new_cip2.exe File opened (read-only) \??\Z: 64new_cip2.exe File opened (read-only) \??\A: 64new_cip2.exe File opened (read-only) \??\F: 64new_cip2.exe File opened (read-only) \??\T: 64new_cip2.exe File opened (read-only) \??\X: 64new_cip2.exe File opened (read-only) \??\B: 64new_cip2.exe File opened (read-only) \??\H: 64new_cip2.exe File opened (read-only) \??\J: 64new_cip2.exe File opened (read-only) \??\L: 64new_cip2.exe File opened (read-only) \??\Q: 64new_cip2.exe File opened (read-only) \??\R: 64new_cip2.exe File opened (read-only) \??\S: 64new_cip2.exe File opened (read-only) \??\I: 64new_cip2.exe File opened (read-only) \??\M: 64new_cip2.exe File opened (read-only) \??\N: 64new_cip2.exe File opened (read-only) \??\V: 64new_cip2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1552 1240 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1360 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1680 taskkill.exe 1868 taskkill.exe 1800 taskkill.exe 1568 taskkill.exe 1972 taskkill.exe 1716 taskkill.exe 1452 taskkill.exe 1944 taskkill.exe 1976 taskkill.exe 2020 taskkill.exe 1628 taskkill.exe 276 taskkill.exe 368 taskkill.exe 812 taskkill.exe 596 taskkill.exe 1520 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip2.exepid process 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe 1376 64new_cip2.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 812 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 596 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 276 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1452 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 368 taskkill.exe Token: SeBackupPrivilege 1936 vssvc.exe Token: SeRestorePrivilege 1936 vssvc.exe Token: SeAuditPrivilege 1936 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1376 wrote to memory of 1872 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1872 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1872 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1872 1376 64new_cip2.exe cmd.exe PID 1872 wrote to memory of 1248 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 1248 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 1248 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 1248 1872 cmd.exe cmd.exe PID 1376 wrote to memory of 320 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 320 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 320 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 320 1376 64new_cip2.exe cmd.exe PID 320 wrote to memory of 1220 320 cmd.exe cmd.exe PID 320 wrote to memory of 1220 320 cmd.exe cmd.exe PID 320 wrote to memory of 1220 320 cmd.exe cmd.exe PID 320 wrote to memory of 1220 320 cmd.exe cmd.exe PID 1220 wrote to memory of 812 1220 cmd.exe taskkill.exe PID 1220 wrote to memory of 812 1220 cmd.exe taskkill.exe PID 1220 wrote to memory of 812 1220 cmd.exe taskkill.exe PID 1376 wrote to memory of 624 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 624 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 624 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 624 1376 64new_cip2.exe cmd.exe PID 624 wrote to memory of 1472 624 cmd.exe cmd.exe PID 624 wrote to memory of 1472 624 cmd.exe cmd.exe PID 624 wrote to memory of 1472 624 cmd.exe cmd.exe PID 624 wrote to memory of 1472 624 cmd.exe cmd.exe PID 1472 wrote to memory of 1568 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 1568 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 1568 1472 cmd.exe taskkill.exe PID 1376 wrote to memory of 1604 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1604 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1604 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1604 1376 64new_cip2.exe cmd.exe PID 1604 wrote to memory of 1092 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 1092 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 1092 1604 cmd.exe cmd.exe PID 1604 wrote to memory of 1092 1604 cmd.exe cmd.exe PID 1092 wrote to memory of 596 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 596 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 596 1092 cmd.exe taskkill.exe PID 1376 wrote to memory of 1412 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1412 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1412 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1412 1376 64new_cip2.exe cmd.exe PID 1412 wrote to memory of 1876 1412 cmd.exe cmd.exe PID 1412 wrote to memory of 1876 1412 cmd.exe cmd.exe PID 1412 wrote to memory of 1876 1412 cmd.exe cmd.exe PID 1412 wrote to memory of 1876 1412 cmd.exe cmd.exe PID 1876 wrote to memory of 2020 1876 cmd.exe taskkill.exe PID 1876 wrote to memory of 2020 1876 cmd.exe taskkill.exe PID 1876 wrote to memory of 2020 1876 cmd.exe taskkill.exe PID 1376 wrote to memory of 1924 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1924 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1924 1376 64new_cip2.exe cmd.exe PID 1376 wrote to memory of 1924 1376 64new_cip2.exe cmd.exe PID 1924 wrote to memory of 1888 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1888 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1888 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1888 1924 cmd.exe cmd.exe PID 1888 wrote to memory of 1628 1888 cmd.exe taskkill.exe PID 1888 wrote to memory of 1628 1888 cmd.exe taskkill.exe PID 1888 wrote to memory of 1628 1888 cmd.exe taskkill.exe PID 1376 wrote to memory of 1800 1376 64new_cip2.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip2.exe64new_cip2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip2.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip2.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1240 -s 8482⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/276-97-0x0000000000000000-mapping.dmp
-
memory/276-74-0x0000000000000000-mapping.dmp
-
memory/320-57-0x0000000000000000-mapping.dmp
-
memory/360-93-0x0000000000000000-mapping.dmp
-
memory/368-103-0x0000000000000000-mapping.dmp
-
memory/436-73-0x0000000000000000-mapping.dmp
-
memory/572-112-0x0000000000000000-mapping.dmp
-
memory/584-81-0x0000000000000000-mapping.dmp
-
memory/596-65-0x0000000000000000-mapping.dmp
-
memory/624-110-0x0000000000000000-mapping.dmp
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/672-114-0x0000000000000000-mapping.dmp
-
memory/748-91-0x0000000000000000-mapping.dmp
-
memory/812-59-0x0000000000000000-mapping.dmp
-
memory/904-106-0x0000000000000000-mapping.dmp
-
memory/976-108-0x0000000000000000-mapping.dmp
-
memory/996-99-0x0000000000000000-mapping.dmp
-
memory/1092-64-0x0000000000000000-mapping.dmp
-
memory/1148-109-0x0000000000000000-mapping.dmp
-
memory/1148-85-0x0000000000000000-mapping.dmp
-
memory/1220-58-0x0000000000000000-mapping.dmp
-
memory/1248-56-0x0000000000000000-mapping.dmp
-
memory/1296-78-0x0000000000000000-mapping.dmp
-
memory/1324-82-0x0000000000000000-mapping.dmp
-
memory/1332-117-0x0000000000000000-mapping.dmp
-
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1388-94-0x0000000000000000-mapping.dmp
-
memory/1412-118-0x0000000000000000-mapping.dmp
-
memory/1412-66-0x0000000000000000-mapping.dmp
-
memory/1452-92-0x0000000000000000-mapping.dmp
-
memory/1464-111-0x0000000000000000-mapping.dmp
-
memory/1472-61-0x0000000000000000-mapping.dmp
-
memory/1472-104-0x0000000000000000-mapping.dmp
-
memory/1520-86-0x0000000000000000-mapping.dmp
-
memory/1528-75-0x0000000000000000-mapping.dmp
-
memory/1568-62-0x0000000000000000-mapping.dmp
-
memory/1568-84-0x0000000000000000-mapping.dmp
-
memory/1604-63-0x0000000000000000-mapping.dmp
-
memory/1616-90-0x0000000000000000-mapping.dmp
-
memory/1628-71-0x0000000000000000-mapping.dmp
-
memory/1636-107-0x0000000000000000-mapping.dmp
-
memory/1648-115-0x0000000000000000-mapping.dmp
-
memory/1648-87-0x0000000000000000-mapping.dmp
-
memory/1680-105-0x0000000000000000-mapping.dmp
-
memory/1680-83-0x0000000000000000-mapping.dmp
-
memory/1684-96-0x0000000000000000-mapping.dmp
-
memory/1716-102-0x0000000000000000-mapping.dmp
-
memory/1716-80-0x0000000000000000-mapping.dmp
-
memory/1740-79-0x0000000000000000-mapping.dmp
-
memory/1800-98-0x0000000000000000-mapping.dmp
-
memory/1800-72-0x0000000000000000-mapping.dmp
-
memory/1868-89-0x0000000000000000-mapping.dmp
-
memory/1872-55-0x0000000000000000-mapping.dmp
-
memory/1876-67-0x0000000000000000-mapping.dmp
-
memory/1888-70-0x0000000000000000-mapping.dmp
-
memory/1896-101-0x0000000000000000-mapping.dmp
-
memory/1912-116-0x0000000000000000-mapping.dmp
-
memory/1924-69-0x0000000000000000-mapping.dmp
-
memory/1936-113-0x0000000000000000-mapping.dmp
-
memory/1944-95-0x0000000000000000-mapping.dmp
-
memory/1956-76-0x0000000000000000-mapping.dmp
-
memory/1972-77-0x0000000000000000-mapping.dmp
-
memory/1972-100-0x0000000000000000-mapping.dmp
-
memory/2020-68-0x0000000000000000-mapping.dmp
-
memory/2024-88-0x0000000000000000-mapping.dmp