hellokitty | 513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe
Size

477KB
MD5

e931ab5882d62ea08e498d90e2e11ad0
SHA1

5b68fe6556752d6bf077740d1b297f65a2673b54
SHA256

513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425
SHA512

f12285f65854fbce23b6c4fee6ef662cb61d65b874f17347494c1d0c9984c24acb4c1d703d7821b482864e271d08ccfce73e40a4cff9112d9907fea527ab6042
SSDEEP

3072:/NV+7SXjtEjDg/s6L7h/gT72ZywWWq/ePVl/uw7cFh:/TwSXNUQmkWWjzcF

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Renames multiple (222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exenet1.exenet.exenet.exenet.exenet.exenet1.exetaskkill.exenet.exenet1.exenet.exenet.exenet.exetaskkill.exenet.exenet.exenet.exenet1.exenet1.exetaskkill.exenet1.exetaskkill.exenet1.exenet1.exenet1.exenet.exenet1.exenet.exenet1.exenet.exetaskkill.exenet1.exenet.exenet1.exetaskkill.exetaskkill.exenet.exenet.exetaskkill.exenet1.exenet.exenet1.exenet1.exenet.exetaskkill.exetaskkill.exenet.exenet1.exenet1.exenet.exenet.exenet1.exenet1.exenet.exenet1.exenet1.exenet.exenet.exetaskkill.exetaskkill.exenet1.exenet1.exenet1.exenet1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

Processes:

net.exenet1.exe

pid	Process
2288	net.exe
2784	net1.exe

Kills process with taskkill 29 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
776	taskkill.exe
2592	taskkill.exe
1936	taskkill.exe
1148	taskkill.exe
2288	taskkill.exe
3028	taskkill.exe
2696	taskkill.exe
2604	taskkill.exe
2480	taskkill.exe
2548	taskkill.exe
1776	taskkill.exe
1724	taskkill.exe
2560	taskkill.exe
2700	taskkill.exe
2700	taskkill.exe
1716	taskkill.exe
2436	taskkill.exe
2560	taskkill.exe
2524	taskkill.exe
1940	taskkill.exe
2628	taskkill.exe
2896	taskkill.exe
1016	taskkill.exe
1924	taskkill.exe
3008	taskkill.exe
2632	taskkill.exe
2532	taskkill.exe
2736	taskkill.exe
1476	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe

pid	Process
2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe

description	pid	Process	procid_target
PID 2192 wrote to memory of 2288	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	30
PID 2192 wrote to memory of 2288	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	30
PID 2192 wrote to memory of 2288	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	30
PID 2192 wrote to memory of 2288	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	30
PID 2192 wrote to memory of 3008	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	32
PID 2192 wrote to memory of 3008	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	32
PID 2192 wrote to memory of 3008	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	32
PID 2192 wrote to memory of 3008	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	32
PID 2192 wrote to memory of 3028	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	144
PID 2192 wrote to memory of 3028	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	144
PID 2192 wrote to memory of 3028	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	144
PID 2192 wrote to memory of 3028	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	144
PID 2192 wrote to memory of 2560	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	35
PID 2192 wrote to memory of 2560	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	35
PID 2192 wrote to memory of 2560	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	35
PID 2192 wrote to memory of 2560	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	35
PID 2192 wrote to memory of 2524	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	36
PID 2192 wrote to memory of 2524	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	36
PID 2192 wrote to memory of 2524	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	36
PID 2192 wrote to memory of 2524	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	36
PID 2192 wrote to memory of 2632	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	140
PID 2192 wrote to memory of 2632	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	140
PID 2192 wrote to memory of 2632	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	140
PID 2192 wrote to memory of 2632	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	140
PID 2192 wrote to memory of 2696	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	39
PID 2192 wrote to memory of 2696	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	39
PID 2192 wrote to memory of 2696	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	39
PID 2192 wrote to memory of 2696	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	39
PID 2192 wrote to memory of 776	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	43
PID 2192 wrote to memory of 776	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	43
PID 2192 wrote to memory of 776	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	43
PID 2192 wrote to memory of 776	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	43
PID 2192 wrote to memory of 2700	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	250
PID 2192 wrote to memory of 2700	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	250
PID 2192 wrote to memory of 2700	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	250
PID 2192 wrote to memory of 2700	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	250
PID 2192 wrote to memory of 2604	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	239
PID 2192 wrote to memory of 2604	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	239
PID 2192 wrote to memory of 2604	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	239
PID 2192 wrote to memory of 2604	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	239
PID 2192 wrote to memory of 2532	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	149
PID 2192 wrote to memory of 2532	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	149
PID 2192 wrote to memory of 2532	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	149
PID 2192 wrote to memory of 2532	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	149
PID 2192 wrote to memory of 2592	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	53
PID 2192 wrote to memory of 2592	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	53
PID 2192 wrote to memory of 2592	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	53
PID 2192 wrote to memory of 2592	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	53
PID 2192 wrote to memory of 2736	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	55
PID 2192 wrote to memory of 2736	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	55
PID 2192 wrote to memory of 2736	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	55
PID 2192 wrote to memory of 2736	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	55
PID 2192 wrote to memory of 1716	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	167
PID 2192 wrote to memory of 1716	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	167
PID 2192 wrote to memory of 1716	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	167
PID 2192 wrote to memory of 1716	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	167
PID 2192 wrote to memory of 1940	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	59
PID 2192 wrote to memory of 1940	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	59
PID 2192 wrote to memory of 1940	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	59
PID 2192 wrote to memory of 1940	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	59
PID 2192 wrote to memory of 2480	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	174
PID 2192 wrote to memory of 2480	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	174
PID 2192 wrote to memory of 2480	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	174
PID 2192 wrote to memory of 2480	2192	513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe	174

C:\Users\Admin\AppData\Local\Temp\513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe
"C:\Users\Admin\AppData\Local\Temp\513266fb23782f2bff65b6e8f059c4f4bb99562610c44110c4a463338f91d425.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:1540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  PID:832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:1676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:2528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    PID:1568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:2660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:2644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:2476
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:2288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    PID:2784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:328
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:2496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:1444
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:1944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    - System Location Discovery: System Language Discovery
    PID:112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:2940
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:1784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:2256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:1124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:1952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:1684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:2124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:2296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:2352
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    - System Location Discovery: System Language Discovery
    PID:840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    PID:1508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:1592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  - System Location Discovery: System Language Discovery
  PID:660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:2444
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:2812
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  - System Location Discovery: System Language Discovery
  PID:880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:2564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:2660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:2040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:2336
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:2788
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2772"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2772"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2772"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2620"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2620"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2620"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2720"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2720"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2720"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-148582006-1471959752-1052113772-1579450963-1265220719106090421916038737011137773010"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13502672131268916322172028761710471452401776475980-212059479413666110541423869342"
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1226826843583681960-1059982839-1456056540-2092938443899529735461361832-1478721334"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74238432211268048441842625963795707239-972741866213523562879671011675314759"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1986397137970206748-667387560-15267815411356202874-21374525496550863841818946760"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-367283563-1811079436243441354-1103651527-1711369107-982159706-867283731156138817"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-934855042-1087569879293734863-943330680-1773436744-1774014424515982911-683214315"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1758974302-541243928-1746576807-2095300073-101466729884663877773044072-1112435753"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "870137664945392773-852642022-927638579-616697172133032576-1529953133-858533714"
1⤵
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "80949277714850053122567385411849755039754470570-3560074141161188020726672523"
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit