hellokitty | 8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
Size

477KB
MD5

eab47cbf897c7e9c2dc1009e11d1d928
SHA1

0816c29d03f6612b053db52a245f6c0062967b5d
SHA256

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2
SHA512

18fb24334b50fb2270eede826e9ec8e5b124b4ed5f14e54a0c7348f1a306bef0d6b1b4059f337aac51970b045ed58d9c6680d9104a30f598196ae9a0726dac53
SSDEEP

3072:oNV+NjSXtz57JtE/Dglskr/gT72ZywWWq/ePVl/uw7cFhUD:oTcjSXDukskWWjzcFCD

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5332	net.exe
6584	net1.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6340	taskkill.exe
396	taskkill.exe
5292	taskkill.exe
2328	taskkill.exe
5256	taskkill.exe
6884	taskkill.exe
6120	taskkill.exe
3972	taskkill.exe
6404	taskkill.exe
1468	taskkill.exe
2464	taskkill.exe
6744	taskkill.exe
5544	taskkill.exe
6044	taskkill.exe
1496	taskkill.exe
5516	taskkill.exe
6808	taskkill.exe
2648	taskkill.exe
4916	taskkill.exe
3316	taskkill.exe
5500	taskkill.exe
2196	taskkill.exe
6320	taskkill.exe
3948	taskkill.exe
3652	taskkill.exe
2132	taskkill.exe
3876	taskkill.exe
5048	taskkill.exe
3700	taskkill.exe
5416	taskkill.exe
6448	taskkill.exe
2492	taskkill.exe
1148	taskkill.exe
6956	taskkill.exe
3040	taskkill.exe
4080	taskkill.exe
2932	taskkill.exe
4472	taskkill.exe
7092	taskkill.exe
7044	taskkill.exe
5024	taskkill.exe
3440	taskkill.exe
3064	taskkill.exe
4028	taskkill.exe
6864	taskkill.exe
456	taskkill.exe
5324	taskkill.exe
5868	taskkill.exe
1812	taskkill.exe
2152	taskkill.exe
1028	taskkill.exe
3648	taskkill.exe
5972	taskkill.exe
3388	taskkill.exe
4440	taskkill.exe
5884	taskkill.exe
6664	taskkill.exe
1420	taskkill.exe
6276	taskkill.exe
2460	taskkill.exe
3256	taskkill.exe
5920	taskkill.exe
5048	taskkill.exe
2744	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	5416	taskkill.exe
Token: SeDebugPrivilege	6668	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	6004	taskkill.exe
Token: SeDebugPrivilege	6744	taskkill.exe
Token: SeDebugPrivilege	6164	taskkill.exe
Token: SeDebugPrivilege	5708	taskkill.exe
Token: SeDebugPrivilege	5716	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	5292	taskkill.exe
Token: SeDebugPrivilege	5544	taskkill.exe
Token: SeDebugPrivilege	5928	taskkill.exe
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	5836	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	6796	taskkill.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	6320	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	6412	taskkill.exe
Token: SeDebugPrivilege	6288	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	5724	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3796	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	84
PID 1076 wrote to memory of 3796	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	84
PID 1076 wrote to memory of 3796	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	84
PID 1076 wrote to memory of 1812	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	85
PID 1076 wrote to memory of 1812	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	85
PID 1076 wrote to memory of 1812	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	85
PID 1076 wrote to memory of 3552	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	88
PID 1076 wrote to memory of 3552	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	88
PID 1076 wrote to memory of 3552	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	88
PID 1076 wrote to memory of 3948	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	89
PID 1076 wrote to memory of 3948	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	89
PID 1076 wrote to memory of 3948	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	89
PID 1076 wrote to memory of 624	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 1076 wrote to memory of 624	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 1076 wrote to memory of 624	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 1076 wrote to memory of 2460	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	92
PID 1076 wrote to memory of 2460	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	92
PID 1076 wrote to memory of 2460	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	92
PID 1076 wrote to memory of 5044	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 1076 wrote to memory of 5044	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 1076 wrote to memory of 5044	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 1076 wrote to memory of 3652	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	301
PID 1076 wrote to memory of 3652	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	301
PID 1076 wrote to memory of 3652	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	301
PID 1076 wrote to memory of 1468	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	97
PID 1076 wrote to memory of 1468	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	97
PID 1076 wrote to memory of 1468	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	97
PID 1076 wrote to memory of 4644	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	501
PID 1076 wrote to memory of 4644	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	501
PID 1076 wrote to memory of 4644	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	501
PID 1076 wrote to memory of 2464	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 1076 wrote to memory of 2464	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 1076 wrote to memory of 2464	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 1076 wrote to memory of 3936	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	105
PID 1076 wrote to memory of 3936	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	105
PID 1076 wrote to memory of 3936	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	105
PID 1076 wrote to memory of 1500	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	469
PID 1076 wrote to memory of 1500	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	469
PID 1076 wrote to memory of 1500	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	469
PID 1076 wrote to memory of 5096	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	351
PID 1076 wrote to memory of 5096	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	351
PID 1076 wrote to memory of 5096	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	351
PID 1076 wrote to memory of 5024	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	112
PID 1076 wrote to memory of 5024	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	112
PID 1076 wrote to memory of 5024	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	112
PID 1076 wrote to memory of 3248	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 1076 wrote to memory of 3248	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 1076 wrote to memory of 3248	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 1076 wrote to memory of 2152	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	319
PID 1076 wrote to memory of 2152	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	319
PID 1076 wrote to memory of 2152	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	319
PID 1076 wrote to memory of 4408	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	276
PID 1076 wrote to memory of 4408	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	276
PID 1076 wrote to memory of 4408	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	276
PID 1076 wrote to memory of 4260	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	118
PID 1076 wrote to memory of 4260	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	118
PID 1076 wrote to memory of 4260	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	118
PID 1076 wrote to memory of 844	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	123
PID 1076 wrote to memory of 844	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	123
PID 1076 wrote to memory of 844	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	123
PID 1076 wrote to memory of 2612	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	210
PID 1076 wrote to memory of 2612	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	210
PID 1076 wrote to memory of 2612	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	210
PID 1076 wrote to memory of 3132	1076	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
"C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:4532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:5416
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    PID:5324
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:4620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:5584
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:5288
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    PID:5732
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:5692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:5652
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6120
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:3668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6440
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:6484
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:6592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  PID:5332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    PID:6584
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:6380
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6600
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:4872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:4820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:5292
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:5736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:7128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:5724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:3976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:2912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:4812
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:3540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:5084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:3596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:4408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:2480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:6156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:6228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:1876
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:1452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:2080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    PID:6060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:6152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:6456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:2152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:6536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:6612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:2216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:6772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:6792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:6572
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:6908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:5596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:8
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:6972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:7012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:1728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  PID:7052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:1148
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:5468
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2856"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2900"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2900"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2900"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3216"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3216"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3216"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5256"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5256"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5256"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5308"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5308"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5308"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5332"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5332"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5332"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6584
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5456"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5456"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5456"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5624"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5624"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5624"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6164
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5836
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5680"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5096
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5680"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5680"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5704"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5704"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5704"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5712"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6412
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5712"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5712"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6796
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5724"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5724"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5724"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5740"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5740"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5740"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6288
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5848"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6064
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5848"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5848"
  2⤵
  PID:5784
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5900"
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5900"
  2⤵
  - Kills process with taskkill
  PID:3700
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5900"
  2⤵
  PID:6860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5964"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5964"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5964"
  2⤵
  - Kills process with taskkill
  PID:6448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6040"
  2⤵
  - Kills process with taskkill
  PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6040"
  2⤵
  - Kills process with taskkill
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6040"
  2⤵
  PID:800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6064"
  2⤵
  - Kills process with taskkill
  PID:3064
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6064"
  2⤵
  - Kills process with taskkill
  PID:1148
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6064"
  2⤵
  PID:1356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4460"
  2⤵
  PID:6976
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4460"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4460"
  2⤵
  - Kills process with taskkill
  PID:3256
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5284"
  2⤵
  PID:6940
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5284"
  2⤵
  PID:5656
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5284"
  2⤵
  PID:6608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  PID:5772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  - Kills process with taskkill
  PID:3972
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  - Kills process with taskkill
  PID:2328
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4168"
  2⤵
  PID:5368
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4168"
  2⤵
  - Kills process with taskkill
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4168"
  2⤵
  PID:772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3528"
  2⤵
  - Kills process with taskkill
  PID:4028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3528"
  2⤵
  PID:4884
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3528"
  2⤵
  PID:6784
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2612"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2612"
  2⤵
  PID:4100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2612"
  2⤵
  - Kills process with taskkill
  PID:6884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6156"
  2⤵
  PID:6416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6156"
  2⤵
  - Kills process with taskkill
  PID:6664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6156"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3280
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6228"
  2⤵
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6228"
  2⤵
  - Kills process with taskkill
  PID:3040
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4252
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6228"
  2⤵
  PID:6992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6280"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6280"
  2⤵
  - Kills process with taskkill
  PID:6404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6280"
  2⤵
  PID:4768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6572
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6120
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5732
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  - Kills process with taskkill
  PID:4080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  - Kills process with taskkill
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  - Kills process with taskkill
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6408"
  2⤵
  PID:2232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5708
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6408"
  2⤵
  PID:7064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5544
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6408"
  2⤵
  - Kills process with taskkill
  PID:4472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6456"
  2⤵
  PID:5856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6280
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6456"
  2⤵
  - Kills process with taskkill
  PID:5972
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6456"
  2⤵
  PID:1212
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6536"
  2⤵
  - Kills process with taskkill
  PID:5516
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6536"
  2⤵
  - Kills process with taskkill
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6536"
  2⤵
  PID:6924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6612"
  2⤵
  PID:5800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6612"
  2⤵
  PID:3904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6612"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4460
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  PID:3728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5304
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6772"
  2⤵
  PID:3572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6772"
  2⤵
  - Kills process with taskkill
  PID:5048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6772"
  2⤵
  PID:4072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6792"
  2⤵
  - Kills process with taskkill
  PID:3388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6792"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6792"
  2⤵
  - Kills process with taskkill
  PID:7092
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6908"
  2⤵
  - Kills process with taskkill
  PID:2744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6908"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6864
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6908"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6340
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  - Kills process with taskkill
  PID:6956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  PID:7128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6908
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6972"
  2⤵
  PID:6856
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6972"
  2⤵
  PID:3296
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6972"
  2⤵
  - Kills process with taskkill
  PID:5500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7012"
  2⤵
  PID:4468
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7012"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6808
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7012"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7052"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7052"
  2⤵
  PID:7024
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7052"
  2⤵
  - Kills process with taskkill
  PID:1420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7088"
  2⤵
  - Kills process with taskkill
  PID:6320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7088"
  2⤵
  - Kills process with taskkill
  PID:5324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7088"
  2⤵
  PID:3100
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6016"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6016"
  2⤵
  - Kills process with taskkill
  PID:456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6016"
  2⤵
  - Kills process with taskkill
  PID:7044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5676"
  2⤵
  - Kills process with taskkill
  PID:5868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5676"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6552
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5676"
  2⤵
  PID:5944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:6416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1452

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4768

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit