Analysis
-
max time kernel
137s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip5.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip5.exe
-
Size
309KB
-
MD5
f1a3a57b1e469f0ecb2674bc8e2ed1f5
-
SHA1
8b51223c1d124a9db8102a510bf469a77682fc3b
-
SHA256
70cd735412950a78b1341edc421441ffc07bd174fbdc42284961346c3cfe213e
-
SHA512
20eda5f143e5e5ae7e7652e7f024ab01be47e747408afa8e7f9036a9829e5ce35575c67ae15ff229aad09f25be728ba6ff72dc5b73b74deb570cb12205451a16
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0L3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3raw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip5.exedescription pid process target process PID 1080 created 1208 1080 64new_cip5.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip5.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmUnregister.png => C:\Users\Admin\Pictures\ConfirmUnregister.png.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\EditPublish.raw => C:\Users\Admin\Pictures\EditPublish.raw.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\JoinGrant.raw => C:\Users\Admin\Pictures\JoinGrant.raw.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\LimitConvertFrom.raw => C:\Users\Admin\Pictures\LimitConvertFrom.raw.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\PingSelect.raw => C:\Users\Admin\Pictures\PingSelect.raw.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\TestUse.raw => C:\Users\Admin\Pictures\TestUse.raw.cipher5 64new_cip5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip5.exedescription ioc process File opened (read-only) \??\O: 64new_cip5.exe File opened (read-only) \??\R: 64new_cip5.exe File opened (read-only) \??\U: 64new_cip5.exe File opened (read-only) \??\V: 64new_cip5.exe File opened (read-only) \??\A: 64new_cip5.exe File opened (read-only) \??\M: 64new_cip5.exe File opened (read-only) \??\T: 64new_cip5.exe File opened (read-only) \??\Z: 64new_cip5.exe File opened (read-only) \??\H: 64new_cip5.exe File opened (read-only) \??\N: 64new_cip5.exe File opened (read-only) \??\J: 64new_cip5.exe File opened (read-only) \??\P: 64new_cip5.exe File opened (read-only) \??\W: 64new_cip5.exe File opened (read-only) \??\X: 64new_cip5.exe File opened (read-only) \??\Y: 64new_cip5.exe File opened (read-only) \??\B: 64new_cip5.exe File opened (read-only) \??\E: 64new_cip5.exe File opened (read-only) \??\I: 64new_cip5.exe File opened (read-only) \??\K: 64new_cip5.exe File opened (read-only) \??\L: 64new_cip5.exe File opened (read-only) \??\Q: 64new_cip5.exe File opened (read-only) \??\S: 64new_cip5.exe File opened (read-only) \??\F: 64new_cip5.exe File opened (read-only) \??\G: 64new_cip5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 892 1208 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 968 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 892 taskkill.exe 1156 taskkill.exe 1556 taskkill.exe 788 taskkill.exe 1312 taskkill.exe 1632 taskkill.exe 1520 taskkill.exe 1380 taskkill.exe 984 taskkill.exe 520 taskkill.exe 432 taskkill.exe 1440 taskkill.exe 1528 taskkill.exe 1460 taskkill.exe 1280 taskkill.exe 1060 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip5.exepid process 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe 1080 64new_cip5.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1280 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 892 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1440 taskkill.exe Token: SeDebugPrivilege 1312 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip5.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1080 wrote to memory of 1440 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1440 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1440 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1440 1080 64new_cip5.exe cmd.exe PID 1440 wrote to memory of 1676 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 1676 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 1676 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 1676 1440 cmd.exe cmd.exe PID 1080 wrote to memory of 1312 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1312 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1312 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1312 1080 64new_cip5.exe cmd.exe PID 1312 wrote to memory of 1704 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 1704 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 1704 1312 cmd.exe cmd.exe PID 1312 wrote to memory of 1704 1312 cmd.exe cmd.exe PID 1704 wrote to memory of 1280 1704 cmd.exe taskkill.exe PID 1704 wrote to memory of 1280 1704 cmd.exe taskkill.exe PID 1704 wrote to memory of 1280 1704 cmd.exe taskkill.exe PID 1080 wrote to memory of 268 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 268 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 268 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 268 1080 64new_cip5.exe cmd.exe PID 268 wrote to memory of 944 268 cmd.exe cmd.exe PID 268 wrote to memory of 944 268 cmd.exe cmd.exe PID 268 wrote to memory of 944 268 cmd.exe cmd.exe PID 268 wrote to memory of 944 268 cmd.exe cmd.exe PID 944 wrote to memory of 432 944 cmd.exe taskkill.exe PID 944 wrote to memory of 432 944 cmd.exe taskkill.exe PID 944 wrote to memory of 432 944 cmd.exe taskkill.exe PID 1080 wrote to memory of 1072 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1072 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1072 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1072 1080 64new_cip5.exe cmd.exe PID 1072 wrote to memory of 1008 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 1008 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 1008 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 1008 1072 cmd.exe cmd.exe PID 1008 wrote to memory of 1556 1008 cmd.exe taskkill.exe PID 1008 wrote to memory of 1556 1008 cmd.exe taskkill.exe PID 1008 wrote to memory of 1556 1008 cmd.exe taskkill.exe PID 1080 wrote to memory of 1940 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1940 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1940 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 1940 1080 64new_cip5.exe cmd.exe PID 1940 wrote to memory of 1092 1940 cmd.exe cmd.exe PID 1940 wrote to memory of 1092 1940 cmd.exe cmd.exe PID 1940 wrote to memory of 1092 1940 cmd.exe cmd.exe PID 1940 wrote to memory of 1092 1940 cmd.exe cmd.exe PID 1092 wrote to memory of 892 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 892 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 892 1092 cmd.exe taskkill.exe PID 1080 wrote to memory of 776 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 776 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 776 1080 64new_cip5.exe cmd.exe PID 1080 wrote to memory of 776 1080 64new_cip5.exe cmd.exe PID 776 wrote to memory of 1928 776 cmd.exe cmd.exe PID 776 wrote to memory of 1928 776 cmd.exe cmd.exe PID 776 wrote to memory of 1928 776 cmd.exe cmd.exe PID 776 wrote to memory of 1928 776 cmd.exe cmd.exe PID 1928 wrote to memory of 788 1928 cmd.exe taskkill.exe PID 1928 wrote to memory of 788 1928 cmd.exe taskkill.exe PID 1928 wrote to memory of 788 1928 cmd.exe taskkill.exe PID 1080 wrote to memory of 920 1080 64new_cip5.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip5.exe64new_cip5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip5.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1208 -s 19202⤵
- Program crash
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-60-0x0000000000000000-mapping.dmp
-
memory/316-75-0x0000000000000000-mapping.dmp
-
memory/432-102-0x0000000000000000-mapping.dmp
-
memory/432-62-0x0000000000000000-mapping.dmp
-
memory/520-100-0x0000000000000000-mapping.dmp
-
memory/552-73-0x0000000000000000-mapping.dmp
-
memory/776-69-0x0000000000000000-mapping.dmp
-
memory/776-92-0x0000000000000000-mapping.dmp
-
memory/788-71-0x0000000000000000-mapping.dmp
-
memory/812-106-0x0000000000000000-mapping.dmp
-
memory/832-101-0x0000000000000000-mapping.dmp
-
memory/876-93-0x0000000000000000-mapping.dmp
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/920-72-0x0000000000000000-mapping.dmp
-
memory/944-61-0x0000000000000000-mapping.dmp
-
memory/968-116-0x0000000000000000-mapping.dmp
-
memory/984-91-0x0000000000000000-mapping.dmp
-
memory/1008-64-0x0000000000000000-mapping.dmp
-
memory/1060-74-0x0000000000000000-mapping.dmp
-
memory/1072-63-0x0000000000000000-mapping.dmp
-
memory/1072-105-0x0000000000000000-mapping.dmp
-
memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1092-67-0x0000000000000000-mapping.dmp
-
memory/1092-110-0x0000000000000000-mapping.dmp
-
memory/1104-90-0x0000000000000000-mapping.dmp
-
memory/1132-111-0x0000000000000000-mapping.dmp
-
memory/1156-94-0x0000000000000000-mapping.dmp
-
memory/1204-98-0x0000000000000000-mapping.dmp
-
memory/1256-109-0x0000000000000000-mapping.dmp
-
memory/1280-59-0x0000000000000000-mapping.dmp
-
memory/1300-95-0x0000000000000000-mapping.dmp
-
memory/1312-57-0x0000000000000000-mapping.dmp
-
memory/1312-79-0x0000000000000000-mapping.dmp
-
memory/1332-96-0x0000000000000000-mapping.dmp
-
memory/1344-99-0x0000000000000000-mapping.dmp
-
memory/1380-88-0x0000000000000000-mapping.dmp
-
memory/1440-55-0x0000000000000000-mapping.dmp
-
memory/1440-76-0x0000000000000000-mapping.dmp
-
memory/1460-97-0x0000000000000000-mapping.dmp
-
memory/1520-85-0x0000000000000000-mapping.dmp
-
memory/1528-103-0x0000000000000000-mapping.dmp
-
memory/1552-117-0x0000000000000000-mapping.dmp
-
memory/1556-65-0x0000000000000000-mapping.dmp
-
memory/1632-82-0x0000000000000000-mapping.dmp
-
memory/1648-118-0x0000000000000000-mapping.dmp
-
memory/1656-115-0x0000000000000000-mapping.dmp
-
memory/1676-56-0x0000000000000000-mapping.dmp
-
memory/1704-58-0x0000000000000000-mapping.dmp
-
memory/1716-112-0x0000000000000000-mapping.dmp
-
memory/1756-114-0x0000000000000000-mapping.dmp
-
memory/1764-78-0x0000000000000000-mapping.dmp
-
memory/1780-83-0x0000000000000000-mapping.dmp
-
memory/1800-113-0x0000000000000000-mapping.dmp
-
memory/1860-86-0x0000000000000000-mapping.dmp
-
memory/1912-108-0x0000000000000000-mapping.dmp
-
memory/1916-80-0x0000000000000000-mapping.dmp
-
memory/1916-104-0x0000000000000000-mapping.dmp
-
memory/1928-70-0x0000000000000000-mapping.dmp
-
memory/1940-66-0x0000000000000000-mapping.dmp
-
memory/1940-89-0x0000000000000000-mapping.dmp
-
memory/1976-81-0x0000000000000000-mapping.dmp
-
memory/1984-87-0x0000000000000000-mapping.dmp
-
memory/2036-107-0x0000000000000000-mapping.dmp
-
memory/2036-84-0x0000000000000000-mapping.dmp
-
memory/2040-77-0x0000000000000000-mapping.dmp