Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip7.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip7.exe
-
Size
309KB
-
MD5
333e965aedff914fb6cb49938097bfd7
-
SHA1
27633cf2b66d46639ddd4e45e915d7201d5964ae
-
SHA256
67786dd4e0afdd952b6a6161e86b21ca453ba5963f100afef802cc0a734d4625
-
SHA512
e5a6c286b5e74d926963aa41f2d74a600fb93f2a05b164c1e05424b5090af2496bbea1ffa852728f7c85e13f161b3c2079e58dbfb4a44f804e292c06997b1de7
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0J3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3xaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip7.exedescription pid process target process PID 5116 created 3092 5116 64new_cip7.exe Explorer.EXE -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip7.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\OpenApprove.tiff 64new_cip7.exe File opened for modification C:\Users\Admin\Pictures\ResetMount.tiff 64new_cip7.exe File renamed C:\Users\Admin\Pictures\ResetMount.tiff => C:\Users\Admin\Pictures\ResetMount.tiff.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\WriteRemove.raw => C:\Users\Admin\Pictures\WriteRemove.raw.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\MeasureUnlock.raw => C:\Users\Admin\Pictures\MeasureUnlock.raw.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\OpenApprove.tiff => C:\Users\Admin\Pictures\OpenApprove.tiff.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\OpenRestore.crw => C:\Users\Admin\Pictures\OpenRestore.crw.cipher7 64new_cip7.exe File opened for modification C:\Users\Admin\Pictures\ReceiveWrite.tiff 64new_cip7.exe File renamed C:\Users\Admin\Pictures\ReceiveWrite.tiff => C:\Users\Admin\Pictures\ReceiveWrite.tiff.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\LimitRemove.crw => C:\Users\Admin\Pictures\LimitRemove.crw.cipher7 64new_cip7.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip7.exedescription ioc process File opened (read-only) \??\E: 64new_cip7.exe File opened (read-only) \??\F: 64new_cip7.exe File opened (read-only) \??\O: 64new_cip7.exe File opened (read-only) \??\P: 64new_cip7.exe File opened (read-only) \??\Q: 64new_cip7.exe File opened (read-only) \??\T: 64new_cip7.exe File opened (read-only) \??\V: 64new_cip7.exe File opened (read-only) \??\A: 64new_cip7.exe File opened (read-only) \??\H: 64new_cip7.exe File opened (read-only) \??\I: 64new_cip7.exe File opened (read-only) \??\K: 64new_cip7.exe File opened (read-only) \??\M: 64new_cip7.exe File opened (read-only) \??\R: 64new_cip7.exe File opened (read-only) \??\W: 64new_cip7.exe File opened (read-only) \??\X: 64new_cip7.exe File opened (read-only) \??\G: 64new_cip7.exe File opened (read-only) \??\Z: 64new_cip7.exe File opened (read-only) \??\N: 64new_cip7.exe File opened (read-only) \??\Y: 64new_cip7.exe File opened (read-only) \??\J: 64new_cip7.exe File opened (read-only) \??\L: 64new_cip7.exe File opened (read-only) \??\S: 64new_cip7.exe File opened (read-only) \??\U: 64new_cip7.exe File opened (read-only) \??\B: 64new_cip7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 568 3092 WerFault.exe Explorer.EXE 3308 3092 WerFault.exe Explorer.EXE 5036 3652 WerFault.exe 1340 3652 WerFault.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3632 taskkill.exe 3676 taskkill.exe 768 taskkill.exe 4376 taskkill.exe 2340 taskkill.exe 4496 taskkill.exe 5068 taskkill.exe 5036 taskkill.exe 116 taskkill.exe 5024 taskkill.exe 4192 taskkill.exe 1640 taskkill.exe 4152 taskkill.exe 2308 taskkill.exe 1448 taskkill.exe 1456 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip7.exepid process 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe 5116 64new_cip7.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4192 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 768 taskkill.exe Token: SeDebugPrivilege 116 taskkill.exe Token: SeDebugPrivilege 4152 taskkill.exe Token: SeDebugPrivilege 2308 taskkill.exe Token: SeDebugPrivilege 4376 taskkill.exe Token: SeDebugPrivilege 5024 taskkill.exe Token: SeDebugPrivilege 2340 taskkill.exe Token: SeDebugPrivilege 3632 taskkill.exe Token: SeDebugPrivilege 4496 taskkill.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 3676 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 5036 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip7.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 5116 wrote to memory of 2256 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2256 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2256 5116 64new_cip7.exe cmd.exe PID 2256 wrote to memory of 4564 2256 cmd.exe cmd.exe PID 2256 wrote to memory of 4564 2256 cmd.exe cmd.exe PID 5116 wrote to memory of 5044 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 5044 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 5044 5116 64new_cip7.exe cmd.exe PID 5044 wrote to memory of 5004 5044 cmd.exe cmd.exe PID 5044 wrote to memory of 5004 5044 cmd.exe cmd.exe PID 5004 wrote to memory of 4192 5004 cmd.exe taskkill.exe PID 5004 wrote to memory of 4192 5004 cmd.exe taskkill.exe PID 5116 wrote to memory of 1288 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 1288 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 1288 5116 64new_cip7.exe cmd.exe PID 1288 wrote to memory of 3428 1288 cmd.exe cmd.exe PID 1288 wrote to memory of 3428 1288 cmd.exe cmd.exe PID 3428 wrote to memory of 1640 3428 cmd.exe taskkill.exe PID 3428 wrote to memory of 1640 3428 cmd.exe taskkill.exe PID 5116 wrote to memory of 2356 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2356 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2356 5116 64new_cip7.exe cmd.exe PID 2356 wrote to memory of 1748 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 1748 2356 cmd.exe cmd.exe PID 1748 wrote to memory of 768 1748 cmd.exe taskkill.exe PID 1748 wrote to memory of 768 1748 cmd.exe taskkill.exe PID 5116 wrote to memory of 996 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 996 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 996 5116 64new_cip7.exe cmd.exe PID 996 wrote to memory of 220 996 cmd.exe cmd.exe PID 996 wrote to memory of 220 996 cmd.exe cmd.exe PID 220 wrote to memory of 116 220 cmd.exe taskkill.exe PID 220 wrote to memory of 116 220 cmd.exe taskkill.exe PID 5116 wrote to memory of 2144 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2144 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2144 5116 64new_cip7.exe cmd.exe PID 2144 wrote to memory of 3168 2144 cmd.exe cmd.exe PID 2144 wrote to memory of 3168 2144 cmd.exe cmd.exe PID 3168 wrote to memory of 4152 3168 cmd.exe taskkill.exe PID 3168 wrote to memory of 4152 3168 cmd.exe taskkill.exe PID 5116 wrote to memory of 3004 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 3004 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 3004 5116 64new_cip7.exe cmd.exe PID 3004 wrote to memory of 3808 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 3808 3004 cmd.exe cmd.exe PID 3808 wrote to memory of 2308 3808 cmd.exe taskkill.exe PID 3808 wrote to memory of 2308 3808 cmd.exe taskkill.exe PID 5116 wrote to memory of 4612 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 4612 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 4612 5116 64new_cip7.exe cmd.exe PID 4612 wrote to memory of 4372 4612 cmd.exe cmd.exe PID 4612 wrote to memory of 4372 4612 cmd.exe cmd.exe PID 4372 wrote to memory of 4376 4372 cmd.exe taskkill.exe PID 4372 wrote to memory of 4376 4372 cmd.exe taskkill.exe PID 5116 wrote to memory of 372 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 372 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 372 5116 64new_cip7.exe cmd.exe PID 372 wrote to memory of 964 372 cmd.exe cmd.exe PID 372 wrote to memory of 964 372 cmd.exe cmd.exe PID 964 wrote to memory of 5024 964 cmd.exe taskkill.exe PID 964 wrote to memory of 5024 964 cmd.exe taskkill.exe PID 5116 wrote to memory of 2488 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2488 5116 64new_cip7.exe cmd.exe PID 5116 wrote to memory of 2488 5116 64new_cip7.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip7.exe64new_cip7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip7.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3092 -s 13242⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3092 -s 13242⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3652 -ip 36521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3092 -ip 30921⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3652 -s 47401⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3652 -s 47401⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/116-195-0x0000000000000000-mapping.dmp
-
memory/116-145-0x0000000000000000-mapping.dmp
-
memory/220-194-0x0000000000000000-mapping.dmp
-
memory/220-144-0x0000000000000000-mapping.dmp
-
memory/372-155-0x0000000000000000-mapping.dmp
-
memory/384-161-0x0000000000000000-mapping.dmp
-
memory/636-184-0x0000000000000000-mapping.dmp
-
memory/648-190-0x0000000000000000-mapping.dmp
-
memory/768-142-0x0000000000000000-mapping.dmp
-
memory/892-193-0x0000000000000000-mapping.dmp
-
memory/964-156-0x0000000000000000-mapping.dmp
-
memory/996-143-0x0000000000000000-mapping.dmp
-
memory/1104-191-0x0000000000000000-mapping.dmp
-
memory/1256-192-0x0000000000000000-mapping.dmp
-
memory/1260-182-0x0000000000000000-mapping.dmp
-
memory/1272-187-0x0000000000000000-mapping.dmp
-
memory/1276-167-0x0000000000000000-mapping.dmp
-
memory/1288-137-0x0000000000000000-mapping.dmp
-
memory/1448-169-0x0000000000000000-mapping.dmp
-
memory/1456-172-0x0000000000000000-mapping.dmp
-
memory/1640-139-0x0000000000000000-mapping.dmp
-
memory/1740-189-0x0000000000000000-mapping.dmp
-
memory/1748-141-0x0000000000000000-mapping.dmp
-
memory/2144-146-0x0000000000000000-mapping.dmp
-
memory/2228-177-0x0000000000000000-mapping.dmp
-
memory/2256-132-0x0000000000000000-mapping.dmp
-
memory/2308-151-0x0000000000000000-mapping.dmp
-
memory/2340-160-0x0000000000000000-mapping.dmp
-
memory/2356-140-0x0000000000000000-mapping.dmp
-
memory/2488-158-0x0000000000000000-mapping.dmp
-
memory/3004-149-0x0000000000000000-mapping.dmp
-
memory/3168-147-0x0000000000000000-mapping.dmp
-
memory/3188-173-0x0000000000000000-mapping.dmp
-
memory/3428-138-0x0000000000000000-mapping.dmp
-
memory/3520-174-0x0000000000000000-mapping.dmp
-
memory/3584-188-0x0000000000000000-mapping.dmp
-
memory/3632-163-0x0000000000000000-mapping.dmp
-
memory/3676-175-0x0000000000000000-mapping.dmp
-
memory/3776-164-0x0000000000000000-mapping.dmp
-
memory/3808-150-0x0000000000000000-mapping.dmp
-
memory/4036-179-0x0000000000000000-mapping.dmp
-
memory/4148-168-0x0000000000000000-mapping.dmp
-
memory/4152-148-0x0000000000000000-mapping.dmp
-
memory/4168-170-0x0000000000000000-mapping.dmp
-
memory/4180-165-0x0000000000000000-mapping.dmp
-
memory/4192-136-0x0000000000000000-mapping.dmp
-
memory/4264-176-0x0000000000000000-mapping.dmp
-
memory/4372-153-0x0000000000000000-mapping.dmp
-
memory/4376-154-0x0000000000000000-mapping.dmp
-
memory/4380-186-0x0000000000000000-mapping.dmp
-
memory/4392-181-0x0000000000000000-mapping.dmp
-
memory/4452-162-0x0000000000000000-mapping.dmp
-
memory/4480-159-0x0000000000000000-mapping.dmp
-
memory/4492-171-0x0000000000000000-mapping.dmp
-
memory/4496-166-0x0000000000000000-mapping.dmp
-
memory/4564-133-0x0000000000000000-mapping.dmp
-
memory/4612-152-0x0000000000000000-mapping.dmp
-
memory/4932-183-0x0000000000000000-mapping.dmp
-
memory/5004-135-0x0000000000000000-mapping.dmp
-
memory/5024-157-0x0000000000000000-mapping.dmp
-
memory/5036-180-0x0000000000000000-mapping.dmp
-
memory/5044-185-0x0000000000000000-mapping.dmp
-
memory/5044-134-0x0000000000000000-mapping.dmp
-
memory/5068-178-0x0000000000000000-mapping.dmp