hellokitty | 8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
Size

477KB
MD5

eab47cbf897c7e9c2dc1009e11d1d928
SHA1

0816c29d03f6612b053db52a245f6c0062967b5d
SHA256

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2
SHA512

18fb24334b50fb2270eede826e9ec8e5b124b4ed5f14e54a0c7348f1a306bef0d6b1b4059f337aac51970b045ed58d9c6680d9104a30f598196ae9a0726dac53
SSDEEP

3072:oNV+NjSXtz57JtE/Dglskr/gT72ZywWWq/ePVl/uw7cFhUD:oTcjSXDukskWWjzcFCD

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2876	net.exe
1364	net1.exe

Kills process with taskkill 38 IoCs

evasion

pid	Process
2376	taskkill.exe
536	taskkill.exe
1312	taskkill.exe
2180	taskkill.exe
2532	taskkill.exe
2776	taskkill.exe
1848	taskkill.exe
1448	taskkill.exe
2080	taskkill.exe
880	taskkill.exe
1144	taskkill.exe
1660	taskkill.exe
2740	taskkill.exe
2284	taskkill.exe
2744	taskkill.exe
1008	taskkill.exe
2000	taskkill.exe
2644	taskkill.exe
2600	taskkill.exe
2472	taskkill.exe
2720	taskkill.exe
2696	taskkill.exe
2396	taskkill.exe
900	taskkill.exe
3036	taskkill.exe
2780	taskkill.exe
844	taskkill.exe
1848	taskkill.exe
1664	taskkill.exe
1524	taskkill.exe
2736	taskkill.exe
2920	taskkill.exe
2964	taskkill.exe
2872	taskkill.exe
2868	taskkill.exe
2872	taskkill.exe
1700	taskkill.exe
3068	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	536	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2080	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	132
PID 1852 wrote to memory of 2080	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	132
PID 1852 wrote to memory of 2080	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	132
PID 1852 wrote to memory of 2080	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	132
PID 1852 wrote to memory of 2472	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	117
PID 1852 wrote to memory of 2472	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	117
PID 1852 wrote to memory of 2472	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	117
PID 1852 wrote to memory of 2472	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	117
PID 1852 wrote to memory of 880	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	224
PID 1852 wrote to memory of 880	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	224
PID 1852 wrote to memory of 880	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	224
PID 1852 wrote to memory of 880	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	224
PID 1852 wrote to memory of 2376	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	235
PID 1852 wrote to memory of 2376	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	235
PID 1852 wrote to memory of 2376	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	235
PID 1852 wrote to memory of 2376	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	235
PID 1852 wrote to memory of 2740	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	39
PID 1852 wrote to memory of 2740	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	39
PID 1852 wrote to memory of 2740	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	39
PID 1852 wrote to memory of 2740	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	39
PID 1852 wrote to memory of 2284	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	41
PID 1852 wrote to memory of 2284	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	41
PID 1852 wrote to memory of 2284	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	41
PID 1852 wrote to memory of 2284	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	41
PID 1852 wrote to memory of 2868	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	137
PID 1852 wrote to memory of 2868	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	137
PID 1852 wrote to memory of 2868	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	137
PID 1852 wrote to memory of 2868	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	137
PID 1852 wrote to memory of 2720	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	45
PID 1852 wrote to memory of 2720	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	45
PID 1852 wrote to memory of 2720	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	45
PID 1852 wrote to memory of 2720	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	45
PID 1852 wrote to memory of 2736	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	234
PID 1852 wrote to memory of 2736	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	234
PID 1852 wrote to memory of 2736	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	234
PID 1852 wrote to memory of 2736	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	234
PID 1852 wrote to memory of 2696	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	258
PID 1852 wrote to memory of 2696	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	258
PID 1852 wrote to memory of 2696	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	258
PID 1852 wrote to memory of 2696	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	258
PID 1852 wrote to memory of 2872	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	261
PID 1852 wrote to memory of 2872	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	261
PID 1852 wrote to memory of 2872	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	261
PID 1852 wrote to memory of 2872	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	261
PID 1852 wrote to memory of 3036	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	54
PID 1852 wrote to memory of 3036	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	54
PID 1852 wrote to memory of 3036	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	54
PID 1852 wrote to memory of 3036	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	54
PID 1852 wrote to memory of 2920	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	56
PID 1852 wrote to memory of 2920	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	56
PID 1852 wrote to memory of 2920	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	56
PID 1852 wrote to memory of 2920	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	56
PID 1852 wrote to memory of 2780	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	58
PID 1852 wrote to memory of 2780	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	58
PID 1852 wrote to memory of 2780	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	58
PID 1852 wrote to memory of 2780	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	58
PID 1852 wrote to memory of 1144	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	164
PID 1852 wrote to memory of 1144	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	164
PID 1852 wrote to memory of 1144	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	164
PID 1852 wrote to memory of 1144	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	164
PID 1852 wrote to memory of 1700	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	161
PID 1852 wrote to memory of 1700	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	161
PID 1852 wrote to memory of 1700	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	161
PID 1852 wrote to memory of 1700	1852	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	161

C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
"C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:1544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:1252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    PID:2424
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:2144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:2192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:2860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:2876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Time Discovery
    PID:1364
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:2272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:2952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:2216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:2564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:1464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:1700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:2756
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:1632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:1544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:1536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:1504
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  - System Location Discovery: System Language Discovery
  PID:280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:2676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:1752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:1472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:2768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:2736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:2728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:2496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:1996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:1980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:2900
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2352"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2352"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2352"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2684"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2684"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2684"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2852"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2852"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2852"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2792"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2792"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2792"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1716"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1716"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1716"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-82769061939439697920570470531332343770-1184201911-778809023751391153-851174290"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-365431928-639246465-752967810889334444547348171-1707706501132557717462731312"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "173821763582639618813628477651968660021-1450903004-964481597-3818054221274029832"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1357284828-477586691-7940016161459873073-1853798084355772795957263431640332125"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "584416273773882314-198665207314343906414833906182030522784-1185688669-1628882845"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1180777257-515300739-1280634317-21656888716919368551974324731827180610-1755328831"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "222489195-6180378281586337702190081612213586103913609378221011660089-1807090658"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17337075316560731431651745505-2006735420443126142823073304-1406208799-473898339"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "303674055827091844-447121851-13205424481340487280128969518936710174359416584"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8646036741491409618-980317356-211627310-1940322578-1640068794555943009424432701"
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit
memory/2996-1-0x0000000076E20000-0x0000000076F1A000-memory.dmp

Filesize
1000KB

Download
memory/2996-0-0x0000000076F20000-0x000000007703F000-memory.dmp

Filesize
1.1MB

Download