Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 08:20
Static task
static1
Behavioral task
behavioral1
Sample
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
Resource
win10v20210408
General
-
Target
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
-
Size
157KB
-
MD5
136bd70f7aa98f52861879d7dca03cf2
-
SHA1
fadd8d7c13a18c251ded1f645ffea18a37f1c2de
-
SHA256
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe
-
SHA512
919b81c6e062f26fef9f2f02f60af9493795ab1e74be0977210375598d2a17e37add7f7843f94c7cd6c44ba12af777a478c3744692ece2e31864b6aafd37e8df
Malware Config
Extracted
C:\Boot\bg-BG\read_me_lkd.txt
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MergeSearch.tiff 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\MergeSearch.tiff => C:\Users\Admin\Pictures\MergeSearch.tiff.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\MergeTrace.raw => C:\Users\Admin\Pictures\MergeTrace.raw.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\EnableUnlock.crw => C:\Users\Admin\Pictures\EnableUnlock.crw.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe File renamed C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.crypted 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 10632 taskkill.exe 10744 taskkill.exe 12544 taskkill.exe 13400 taskkill.exe 2604 taskkill.exe 7164 taskkill.exe 11920 taskkill.exe 12720 taskkill.exe 3832 taskkill.exe 10348 taskkill.exe 7412 taskkill.exe 8424 taskkill.exe 7084 taskkill.exe 6380 taskkill.exe 9368 taskkill.exe 10868 taskkill.exe 8200 taskkill.exe 868 taskkill.exe 3736 taskkill.exe 12432 taskkill.exe 13268 taskkill.exe 4308 taskkill.exe 7508 taskkill.exe 10576 taskkill.exe 10812 taskkill.exe 11316 taskkill.exe 11652 taskkill.exe 12056 taskkill.exe 3640 taskkill.exe 6888 taskkill.exe 8140 taskkill.exe 8856 taskkill.exe 13860 taskkill.exe 6600 taskkill.exe 10688 taskkill.exe 13584 taskkill.exe 728 taskkill.exe 7536 taskkill.exe 6704 taskkill.exe 6700 taskkill.exe 7440 taskkill.exe 9564 taskkill.exe 10120 taskkill.exe 7240 taskkill.exe 5032 taskkill.exe 4904 taskkill.exe 7936 taskkill.exe 6972 taskkill.exe 10028 taskkill.exe 13744 taskkill.exe 1156 taskkill.exe 5124 taskkill.exe 7372 taskkill.exe 4748 taskkill.exe 6884 taskkill.exe 11516 taskkill.exe 12368 taskkill.exe 3324 taskkill.exe 4256 taskkill.exe 5468 taskkill.exe 5092 taskkill.exe 11984 taskkill.exe 13768 taskkill.exe 13912 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exepid process 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exepid process 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 420 taskkill.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 3736 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeDebugPrivilege 3324 taskkill.exe Token: SeDebugPrivilege 496 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 2476 taskkill.exe Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 3228 taskkill.exe Token: SeDebugPrivilege 4256 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 3144 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 728 taskkill.exe Token: SeDebugPrivilege 2748 taskkill.exe Token: SeDebugPrivilege 2676 taskkill.exe Token: SeDebugPrivilege 2604 taskkill.exe Token: SeDebugPrivilege 6888 taskkill.exe Token: SeDebugPrivilege 7060 taskkill.exe Token: SeDebugPrivilege 7176 taskkill.exe Token: SeDebugPrivilege 7220 taskkill.exe Token: SeDebugPrivilege 7228 taskkill.exe Token: SeDebugPrivilege 7248 taskkill.exe Token: SeDebugPrivilege 7188 taskkill.exe Token: SeDebugPrivilege 7204 taskkill.exe Token: SeDebugPrivilege 7212 taskkill.exe Token: SeDebugPrivilege 7240 taskkill.exe Token: SeDebugPrivilege 7068 taskkill.exe Token: SeDebugPrivilege 7620 taskkill.exe Token: SeDebugPrivilege 8096 taskkill.exe Token: SeDebugPrivilege 8456 taskkill.exe Token: SeDebugPrivilege 8592 taskkill.exe Token: SeDebugPrivilege 8856 taskkill.exe Token: SeDebugPrivilege 9052 taskkill.exe Token: SeDebugPrivilege 9136 taskkill.exe Token: SeDebugPrivilege 9188 taskkill.exe Token: SeDebugPrivilege 7536 taskkill.exe Token: SeDebugPrivilege 5840 taskkill.exe Token: SeDebugPrivilege 5324 taskkill.exe Token: SeDebugPrivilege 5528 taskkill.exe Token: SeDebugPrivilege 5620 taskkill.exe Token: SeDebugPrivilege 5608 taskkill.exe Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 5332 taskkill.exe Token: SeDebugPrivilege 7372 taskkill.exe Token: SeDebugPrivilege 5520 taskkill.exe Token: SeDebugPrivilege 8372 taskkill.exe Token: SeDebugPrivilege 4748 taskkill.exe Token: SeDebugPrivilege 5440 taskkill.exe Token: SeDebugPrivilege 8404 taskkill.exe Token: SeDebugPrivilege 8052 taskkill.exe Token: SeDebugPrivilege 5124 taskkill.exe Token: SeDebugPrivilege 8424 taskkill.exe Token: SeDebugPrivilege 8432 taskkill.exe Token: SeDebugPrivilege 6076 taskkill.exe Token: SeDebugPrivilege 7104 taskkill.exe Token: SeDebugPrivilege 5204 taskkill.exe Token: SeDebugPrivilege 5368 taskkill.exe Token: SeDebugPrivilege 8156 taskkill.exe Token: SeDebugPrivilege 7084 taskkill.exe Token: SeDebugPrivilege 8116 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exedescription pid process target process PID 640 wrote to memory of 3144 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3144 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3144 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3080 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3080 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3080 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3972 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3972 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3972 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3740 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3740 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3740 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2676 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2676 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2676 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2808 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2808 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2808 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2604 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2604 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2604 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 420 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 420 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 420 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 940 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 940 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 940 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2476 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2476 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2476 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 728 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 728 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 728 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 1156 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 1156 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 1156 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3228 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3228 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3228 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 496 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 496 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 496 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 868 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 868 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 868 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 576 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 576 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 576 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3324 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3324 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3324 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2748 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2748 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 2748 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3736 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3736 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 3736 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 4256 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 4256 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 4256 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe taskkill.exe PID 640 wrote to memory of 4304 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe net.exe PID 640 wrote to memory of 4304 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe net.exe PID 640 wrote to memory of 4304 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe net.exe PID 640 wrote to memory of 4316 640 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe"C:\Users\Admin\AppData\Local\Temp\501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im mysql*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im dsa*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ds_monitor*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Notifier*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im TmListen*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im iVPAgent*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im IBM*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im bes10*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im black*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im robo*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im store.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sql*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im vee*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im wrsa*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im wrsa.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im postg*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im copy*2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sage*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper1002⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ISARS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQL$MSFW2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ISARS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$MSFW2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ReportServer$ISARS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop mr2kserv2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeADTopology2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop WinDefend2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeFBA2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ShadowProtectSvc2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPTraceV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPWriterV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper1002⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop IISADMIN2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPSearch42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPUserCodeV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPTimerV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPAdminV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ibmiasrw2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBCFMonitorService2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBVSS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB13⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop IISADMIN2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBPOSDBServiceV122⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV123⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB22⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB23⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB132⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB133⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB122⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB123⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB112⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB113⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB102⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB103⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB92⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB93⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB82⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB83⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB72⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB73⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB62⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB63⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB52⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB53⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB252⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB253⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB242⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB243⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB232⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB233⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB222⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB223⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB212⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB213⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB202⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB203⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB192⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB193⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB182⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB183⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB172⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB173⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB162⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB163⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB152⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB153⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB142⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB143⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB43⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB32⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB33⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4304"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4344"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4660"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4344"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4344"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4316"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4316"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4316"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4304"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4304"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2972"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2972"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2972"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4660"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4660"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4820"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4820"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4820"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4852"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4852"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4852"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4896"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4896"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4896"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4928"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4928"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4928"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4968"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4968"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4968"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5008"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5008"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5008"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5056"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5056"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5056"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4132"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4132"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4132"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5088"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5088"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5088"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5148"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5148"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5148"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5228"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5228"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5228"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5280"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5280"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5280"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5444"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5444"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5444"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5516"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5516"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5516"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5632"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5632"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5632"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5716"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5716"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5716"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5776"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5776"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5776"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5884"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5884"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5884"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5984"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5984"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5984"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6004"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6004"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6004"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6012"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6012"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6012"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6020"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6020"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6020"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6028"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6028"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6028"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6036"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6036"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6036"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6072"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6072"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6072"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6080"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6080"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6080"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6104"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6104"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6104"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6120"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6120"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6120"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6140"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6140"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6140"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4872"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4872"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4872"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4976"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4976"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4976"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5136"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5136"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5136"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5192"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5192"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5192"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5260"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5260"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5260"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5236"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5236"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5236"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5600"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5600"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5600"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5468"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5468"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5468"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5724"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5724"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5724"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5848"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5848"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5848"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5892"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5892"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5892"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6156"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6156"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6156"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6168"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6168"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6168"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6176"2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6176"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6176"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6188"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6188"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6188"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6200"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6200"2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6200"2⤵
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/420-121-0x0000000000000000-mapping.dmp
-
memory/496-127-0x0000000000000000-mapping.dmp
-
memory/576-129-0x0000000000000000-mapping.dmp
-
memory/728-124-0x0000000000000000-mapping.dmp
-
memory/868-128-0x0000000000000000-mapping.dmp
-
memory/940-122-0x0000000000000000-mapping.dmp
-
memory/1156-125-0x0000000000000000-mapping.dmp
-
memory/2476-123-0x0000000000000000-mapping.dmp
-
memory/2604-120-0x0000000000000000-mapping.dmp
-
memory/2676-118-0x0000000000000000-mapping.dmp
-
memory/2748-131-0x0000000000000000-mapping.dmp
-
memory/2808-119-0x0000000000000000-mapping.dmp
-
memory/3080-115-0x0000000000000000-mapping.dmp
-
memory/3144-114-0x0000000000000000-mapping.dmp
-
memory/3228-126-0x0000000000000000-mapping.dmp
-
memory/3324-130-0x0000000000000000-mapping.dmp
-
memory/3736-132-0x0000000000000000-mapping.dmp
-
memory/3740-117-0x0000000000000000-mapping.dmp
-
memory/3972-116-0x0000000000000000-mapping.dmp
-
memory/4132-147-0x0000000000000000-mapping.dmp
-
memory/4256-133-0x0000000000000000-mapping.dmp
-
memory/4304-134-0x0000000000000000-mapping.dmp
-
memory/4316-135-0x0000000000000000-mapping.dmp
-
memory/4340-149-0x0000000000000000-mapping.dmp
-
memory/4344-136-0x0000000000000000-mapping.dmp
-
memory/4436-148-0x0000000000000000-mapping.dmp
-
memory/4660-137-0x0000000000000000-mapping.dmp
-
memory/4668-150-0x0000000000000000-mapping.dmp
-
memory/4820-138-0x0000000000000000-mapping.dmp
-
memory/4852-139-0x0000000000000000-mapping.dmp
-
memory/4896-140-0x0000000000000000-mapping.dmp
-
memory/4908-141-0x0000000000000000-mapping.dmp
-
memory/4916-152-0x0000000000000000-mapping.dmp
-
memory/4924-151-0x0000000000000000-mapping.dmp
-
memory/4928-142-0x0000000000000000-mapping.dmp
-
memory/4968-143-0x0000000000000000-mapping.dmp
-
memory/5008-144-0x0000000000000000-mapping.dmp
-
memory/5056-145-0x0000000000000000-mapping.dmp
-
memory/5088-153-0x0000000000000000-mapping.dmp
-
memory/5104-146-0x0000000000000000-mapping.dmp
-
memory/5148-154-0x0000000000000000-mapping.dmp
-
memory/5176-155-0x0000000000000000-mapping.dmp
-
memory/5228-156-0x0000000000000000-mapping.dmp
-
memory/5252-157-0x0000000000000000-mapping.dmp
-
memory/5280-158-0x0000000000000000-mapping.dmp
-
memory/5328-159-0x0000000000000000-mapping.dmp
-
memory/5340-160-0x0000000000000000-mapping.dmp
-
memory/5408-161-0x0000000000000000-mapping.dmp
-
memory/5444-163-0x0000000000000000-mapping.dmp
-
memory/5460-162-0x0000000000000000-mapping.dmp
-
memory/5516-164-0x0000000000000000-mapping.dmp
-
memory/5556-165-0x0000000000000000-mapping.dmp
-
memory/5568-166-0x0000000000000000-mapping.dmp
-
memory/5592-167-0x0000000000000000-mapping.dmp
-
memory/5608-168-0x0000000000000000-mapping.dmp
-
memory/5632-169-0x0000000000000000-mapping.dmp
-
memory/5716-170-0x0000000000000000-mapping.dmp
-
memory/5776-171-0x0000000000000000-mapping.dmp
-
memory/5812-172-0x0000000000000000-mapping.dmp
-
memory/5824-173-0x0000000000000000-mapping.dmp
-
memory/5852-174-0x0000000000000000-mapping.dmp
-
memory/5884-175-0x0000000000000000-mapping.dmp
-
memory/5900-176-0x0000000000000000-mapping.dmp
-
memory/5916-177-0x0000000000000000-mapping.dmp