hellokitty | fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb

Analysis

max time kernel
41s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
09-02-2021 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
Size

157KB
MD5

85cd7c6931b44a14f4899dfd0039e8b4
SHA1

5822f65dec879ba585112976a632b2c4435abf90
SHA256

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb
SHA512

9a8173eb7f08c1c9e2c9b66b2866c08a5e97bc16ceb3644a55cc9da17dec1b9941f0e30c23994952d31b3b60911d13e7cc20810ecada35cdca4bff72ccad5a15

Score

10^/10

hellokitty ransomware

Malware Config

Extracted

Path

C:\Boot\bg-BG\read_me_lkd.txt

Ransom Note

Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0 3) Follow instructions in chat.

URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LimitDebug.tif => C:\Users\Admin\Pictures\LimitDebug.tif.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
File renamed	C:\Users\Admin\Pictures\StopFind.raw => C:\Users\Admin\Pictures\StopFind.raw.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
File renamed	C:\Users\Admin\Pictures\UnblockConnect.tif => C:\Users\Admin\Pictures\UnblockConnect.tif.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
File renamed	C:\Users\Admin\Pictures\UnpublishSet.crw => C:\Users\Admin\Pictures\UnpublishSet.crw.crypted	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 41 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4116	taskkill.exe
5344	taskkill.exe
416	taskkill.exe
5152	taskkill.exe
5992	taskkill.exe
5660	taskkill.exe
5260	taskkill.exe
4968	taskkill.exe
3720	taskkill.exe
740	taskkill.exe
3668	taskkill.exe
2600	taskkill.exe
4468	taskkill.exe
5748	taskkill.exe
1176	taskkill.exe
5872	taskkill.exe
4488	taskkill.exe
520	taskkill.exe
4324	taskkill.exe
4404	taskkill.exe
5952	taskkill.exe
4928	taskkill.exe
2312	taskkill.exe
1320	taskkill.exe
4592	taskkill.exe
6072	taskkill.exe
4972	taskkill.exe
6092	taskkill.exe
5128	taskkill.exe
500	taskkill.exe
1648	taskkill.exe
4060	taskkill.exe
4524	taskkill.exe
5604	taskkill.exe
3832	taskkill.exe
4860	taskkill.exe
200	taskkill.exe
4176	taskkill.exe
5156	taskkill.exe
6100	taskkill.exe
4836	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

pid	process
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

pid process

580 fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5660	taskkill.exe
Token: SeDebugPrivilege	6072	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	6092	taskkill.exe
Token: SeDebugPrivilege	5156	taskkill.exe
Token: SeDebugPrivilege	6100	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	5872	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5128	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	5344	taskkill.exe
Token: SeDebugPrivilege	5748	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeBackupPrivilege	2116	vssvc.exe
Token: SeRestorePrivilege	2116	vssvc.exe
Token: SeAuditPrivilege	2116	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe

description	pid	process	target process
PID 580 wrote to memory of 3720	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 3720	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 3720	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 416	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 416	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 416	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 740	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 740	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 740	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 500	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 500	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 500	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1648	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1648	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1648	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 3668	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 3668	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 3668	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4060	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4060	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4060	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2600	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2600	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2600	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 200	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 200	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 200	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2312	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2312	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 2312	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 520	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 520	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 520	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1320	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1320	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 1320	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4116	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4116	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4116	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4176	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4324	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4324	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4324	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4404	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4404	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4404	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4468	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4468	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4468	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4524	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4524	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4524	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4592	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4592	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4592	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	taskkill.exe
PID 580 wrote to memory of 4664	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	net.exe
PID 580 wrote to memory of 4664	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	net.exe
PID 580 wrote to memory of 4664	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	net.exe
PID 580 wrote to memory of 4716	580	fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe
"C:\Users\Admin\AppData\Local\Temp\fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:416
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:4804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:4848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:4904
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    PID:5008
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:5072
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:3724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    PID:4616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:3560
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:4680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:5192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:5320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    PID:5292
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:5404
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:5568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:5708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  PID:5304
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    PID:5940
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:6000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:5980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  PID:5720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:6056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:5796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:6108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:2264
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:5664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:6068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:5960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:4920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:6136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    PID:2656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:4688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:4784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:5392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:2604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:5000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:5384
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:4200
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    PID:5556
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:5280
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:5500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:5764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:5544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:5580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:5832
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:6080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:5896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    PID:5616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:5908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:5652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:5760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:5724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    PID:5836
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:4916
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  PID:6012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:5432
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:5024
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:4548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:5328
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:4976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:2188
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:5160
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  PID:5428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:5456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:5180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  PID:732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:5084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    PID:5264
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2512"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2512"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2512"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4888"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4888"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4888"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5324"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5156
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5324"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6100
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5324"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5004"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5004"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5004"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5428"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5428"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5428"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4908"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4908"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4908"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4796"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4796"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4796"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
1⤵
PID:5476

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/200-10-0x0000000000000000-mapping.dmp

Download
memory/416-3-0x0000000000000000-mapping.dmp

Download
memory/500-5-0x0000000000000000-mapping.dmp

Download
memory/520-12-0x0000000000000000-mapping.dmp

Download
memory/740-4-0x0000000000000000-mapping.dmp

Download
memory/1176-13-0x0000000000000000-mapping.dmp

Download
memory/1320-14-0x0000000000000000-mapping.dmp

Download
memory/1648-6-0x0000000000000000-mapping.dmp

Download
memory/1828-35-0x0000000000000000-mapping.dmp

Download
memory/2312-11-0x0000000000000000-mapping.dmp

Download
memory/2600-9-0x0000000000000000-mapping.dmp

Download
memory/3560-38-0x0000000000000000-mapping.dmp

Download
memory/3668-7-0x0000000000000000-mapping.dmp

Download
memory/3720-2-0x0000000000000000-mapping.dmp

Download
memory/3724-34-0x0000000000000000-mapping.dmp

Download
memory/3980-39-0x0000000000000000-mapping.dmp

Download
memory/4060-8-0x0000000000000000-mapping.dmp

Download
memory/4116-15-0x0000000000000000-mapping.dmp

Download
memory/4176-16-0x0000000000000000-mapping.dmp

Download
memory/4324-17-0x0000000000000000-mapping.dmp

Download
memory/4404-18-0x0000000000000000-mapping.dmp

Download
memory/4468-19-0x0000000000000000-mapping.dmp

Download
memory/4524-20-0x0000000000000000-mapping.dmp

Download
memory/4592-21-0x0000000000000000-mapping.dmp

Download
memory/4616-36-0x0000000000000000-mapping.dmp

Download
memory/4664-22-0x0000000000000000-mapping.dmp

Download
memory/4680-40-0x0000000000000000-mapping.dmp

Download
memory/4716-23-0x0000000000000000-mapping.dmp

Download
memory/4776-24-0x0000000000000000-mapping.dmp

Download
memory/4788-37-0x0000000000000000-mapping.dmp

Download
memory/4804-25-0x0000000000000000-mapping.dmp

Download
memory/4848-26-0x0000000000000000-mapping.dmp

Download
memory/4864-27-0x0000000000000000-mapping.dmp

Download
memory/4904-28-0x0000000000000000-mapping.dmp

Download
memory/4960-29-0x0000000000000000-mapping.dmp

Download
memory/5008-30-0x0000000000000000-mapping.dmp

Download
memory/5020-31-0x0000000000000000-mapping.dmp

Download
memory/5072-32-0x0000000000000000-mapping.dmp

Download
memory/5096-33-0x0000000000000000-mapping.dmp

Download
memory/5124-41-0x0000000000000000-mapping.dmp

Download
memory/5148-42-0x0000000000000000-mapping.dmp

Download
memory/5192-43-0x0000000000000000-mapping.dmp

Download
memory/5232-44-0x0000000000000000-mapping.dmp

Download
memory/5292-45-0x0000000000000000-mapping.dmp

Download
memory/5304-46-0x0000000000000000-mapping.dmp

Download
memory/5320-47-0x0000000000000000-mapping.dmp

Download
memory/5404-48-0x0000000000000000-mapping.dmp

Download
memory/5416-49-0x0000000000000000-mapping.dmp

Download
memory/5476-50-0x0000000000000000-mapping.dmp

Download
memory/5504-51-0x0000000000000000-mapping.dmp

Download
memory/5568-52-0x0000000000000000-mapping.dmp

Download
memory/5588-53-0x0000000000000000-mapping.dmp

Download
memory/5608-54-0x0000000000000000-mapping.dmp

Download
memory/5640-55-0x0000000000000000-mapping.dmp

Download
memory/5664-56-0x0000000000000000-mapping.dmp

Download
memory/5708-57-0x0000000000000000-mapping.dmp

Download
memory/5720-58-0x0000000000000000-mapping.dmp

Download
memory/5756-59-0x0000000000000000-mapping.dmp

Download
memory/5796-60-0x0000000000000000-mapping.dmp

Download
memory/5940-61-0x0000000000000000-mapping.dmp

Download
memory/5960-62-0x0000000000000000-mapping.dmp

Download
memory/5980-63-0x0000000000000000-mapping.dmp

Download
memory/6000-64-0x0000000000000000-mapping.dmp

Download
memory/6056-65-0x0000000000000000-mapping.dmp

Download