hellokitty | e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
Size

477KB
MD5

dedaf87d9f14524ec3fe7c3d2e304bf5
SHA1

be8574663f31227d834bf3adc31c386533a7632c
SHA256

e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b
SHA512

ddde7e1d9ba6c684d1e2a9c5f324e1d294f1f5899e3994f59e3b5a68b3a5c058c01f437ebf147c08c8d8a4308696aa38cbbf62b415e5344d20db02551827afea
SSDEEP

3072:OWNV+TSXAtEyDgEws1/gT72ZywWWq/ePVl/uw7cFhpD:OWTASXh6mkWWjzcFLD

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Renames multiple (201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3544	net1.exe
2944	net.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2840	taskkill.exe
2312	taskkill.exe
3420	taskkill.exe
3736	taskkill.exe
3152	taskkill.exe
3404	taskkill.exe
2076	taskkill.exe
3260	taskkill.exe
2560	taskkill.exe
1232	taskkill.exe
3992	taskkill.exe
3616	taskkill.exe
2836	taskkill.exe
996	taskkill.exe
3272	taskkill.exe
1944	taskkill.exe
2784	taskkill.exe
4036	taskkill.exe
920	taskkill.exe
3896	taskkill.exe
1364	taskkill.exe
920	taskkill.exe
3080	taskkill.exe
3180	taskkill.exe
3508	taskkill.exe
3344	taskkill.exe
3660	taskkill.exe
3172	taskkill.exe
288	taskkill.exe
3440	taskkill.exe
3224	taskkill.exe
3352	taskkill.exe
292	taskkill.exe
2580	taskkill.exe
2216	taskkill.exe
3300	taskkill.exe
3692	taskkill.exe
3744	taskkill.exe
3244	taskkill.exe
1960	taskkill.exe
2388	taskkill.exe
3200	taskkill.exe
1588	taskkill.exe
1924	taskkill.exe
2916	taskkill.exe
3752	taskkill.exe
2880	taskkill.exe
1852	taskkill.exe
1704	taskkill.exe
992	taskkill.exe
1712	taskkill.exe
3292	taskkill.exe
3092	taskkill.exe
3712	taskkill.exe
3456	taskkill.exe
3276	taskkill.exe
3308	taskkill.exe
1060	taskkill.exe
2000	taskkill.exe
1396	taskkill.exe
2536	taskkill.exe
2968	taskkill.exe
2596	taskkill.exe
3928	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2836	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	31
PID 1552 wrote to memory of 2836	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	31
PID 1552 wrote to memory of 2836	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	31
PID 1552 wrote to memory of 2836	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	31
PID 1552 wrote to memory of 2896	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	33
PID 1552 wrote to memory of 2896	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	33
PID 1552 wrote to memory of 2896	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	33
PID 1552 wrote to memory of 2896	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	33
PID 1552 wrote to memory of 2904	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	34
PID 1552 wrote to memory of 2904	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	34
PID 1552 wrote to memory of 2904	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	34
PID 1552 wrote to memory of 2904	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	34
PID 1552 wrote to memory of 2916	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	35
PID 1552 wrote to memory of 2916	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	35
PID 1552 wrote to memory of 2916	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	35
PID 1552 wrote to memory of 2916	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	35
PID 1552 wrote to memory of 2960	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	36
PID 1552 wrote to memory of 2960	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	36
PID 1552 wrote to memory of 2960	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	36
PID 1552 wrote to memory of 2960	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	36
PID 1552 wrote to memory of 2968	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	37
PID 1552 wrote to memory of 2968	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	37
PID 1552 wrote to memory of 2968	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	37
PID 1552 wrote to memory of 2968	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	37
PID 1552 wrote to memory of 2068	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	38
PID 1552 wrote to memory of 2068	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	38
PID 1552 wrote to memory of 2068	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	38
PID 1552 wrote to memory of 2068	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	38
PID 1552 wrote to memory of 2076	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	39
PID 1552 wrote to memory of 2076	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	39
PID 1552 wrote to memory of 2076	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	39
PID 1552 wrote to memory of 2076	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	39
PID 1552 wrote to memory of 996	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	40
PID 1552 wrote to memory of 996	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	40
PID 1552 wrote to memory of 996	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	40
PID 1552 wrote to memory of 996	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	40
PID 1552 wrote to memory of 2448	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	41
PID 1552 wrote to memory of 2448	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	41
PID 1552 wrote to memory of 2448	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	41
PID 1552 wrote to memory of 2448	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	41
PID 1552 wrote to memory of 2420	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	42
PID 1552 wrote to memory of 2420	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	42
PID 1552 wrote to memory of 2420	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	42
PID 1552 wrote to memory of 2420	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	42
PID 1552 wrote to memory of 1628	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	43
PID 1552 wrote to memory of 1628	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	43
PID 1552 wrote to memory of 1628	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	43
PID 1552 wrote to memory of 1628	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	43
PID 1552 wrote to memory of 1980	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	44
PID 1552 wrote to memory of 1980	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	44
PID 1552 wrote to memory of 1980	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	44
PID 1552 wrote to memory of 1980	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	44
PID 1552 wrote to memory of 2840	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	45
PID 1552 wrote to memory of 2840	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	45
PID 1552 wrote to memory of 2840	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	45
PID 1552 wrote to memory of 2840	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	45
PID 1552 wrote to memory of 2312	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	46
PID 1552 wrote to memory of 2312	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	46
PID 1552 wrote to memory of 2312	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	46
PID 1552 wrote to memory of 2312	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	46
PID 1552 wrote to memory of 2784	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	47
PID 1552 wrote to memory of 2784	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	47
PID 1552 wrote to memory of 2784	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	47
PID 1552 wrote to memory of 2784	1552	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	47

C:\Users\Admin\AppData\Local\Temp\20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
"C:\Users\Admin\AppData\Local\Temp\20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:2216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:2084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:2124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:2180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:2548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:1624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    PID:2796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:1004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:1932
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:2692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Time Discovery
    PID:3544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:2700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:1308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:1660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    PID:2924
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:2052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:1976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:1256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:2852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    PID:3384
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:2860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:2084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:2620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:3552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:3536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:3568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:3576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:3724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:3640
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    PID:3664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:3716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:3648
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:3700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:3776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:3792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:3688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:3656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:3768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    PID:3740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2660"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2660"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2660"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2740"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2740"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2740"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2544"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2544"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2544"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2480"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2480"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2480"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2940"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2940"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2940"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2540"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2540"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2540"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2120"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2120"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2120"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2944"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2944"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2944"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1312"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1312"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1312"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1608"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1608"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1608"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1868"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1868"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1868"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2400"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2400"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2400"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2272"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2272"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2272"
  2⤵
  PID:3104
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2404"
  2⤵
  - Kills process with taskkill
  PID:3300
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2404"
  2⤵
  - Kills process with taskkill
  PID:3692
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2404"
  2⤵
  - Kills process with taskkill
  PID:3080
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2264"
  2⤵
  PID:3216
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2264"
  2⤵
  PID:3400
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2264"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1896"
  2⤵
  - Kills process with taskkill
  PID:3712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1896"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1896"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2296"
  2⤵
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2296"
  2⤵
  - Kills process with taskkill
  PID:3736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2296"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1852"
  2⤵
  - Kills process with taskkill
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1852"
  2⤵
  - Kills process with taskkill
  PID:3180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1852"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1936"
  2⤵
  - Kills process with taskkill
  PID:3508
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1936"
  2⤵
  PID:3304
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1936"
  2⤵
  - Kills process with taskkill
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2760"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3112
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2760"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2760"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3520
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1540"
  2⤵
  - Kills process with taskkill
  PID:3244
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1540"
  2⤵
  PID:3156
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1540"
  2⤵
  - Kills process with taskkill
  PID:3152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1788"
  2⤵
  - Kills process with taskkill
  PID:3224
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1788"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1788"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2920"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3976
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2920"
  2⤵
  PID:3984
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2920"
  2⤵
  PID:3908
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1708"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1708"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1708"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1636"
  2⤵
  PID:4040
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1636"
  2⤵
  - Kills process with taskkill
  PID:3344
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1636"
  2⤵
  PID:2488
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1644"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1644"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1644"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1396"
  2⤵
  - Kills process with taskkill
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1396"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1396"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  - Kills process with taskkill
  PID:3352
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  PID:3608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  - Kills process with taskkill
  PID:1396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2444"
  2⤵
  PID:1892
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2444"
  2⤵
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2444"
  2⤵
  - Kills process with taskkill
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  PID:3576
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  - Kills process with taskkill
  PID:3404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  PID:1888
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1732"
  2⤵
  - Kills process with taskkill
  PID:3616
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1732"
  2⤵
  - Kills process with taskkill
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1732"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2732"
  2⤵
  - Kills process with taskkill
  PID:3660
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2732"
  2⤵
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2732"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1884"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1884"
  2⤵
  PID:584
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1884"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2912"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2912"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2912"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1864"
  2⤵
  PID:3604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1864"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1864"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3172
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1560"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1560"
  2⤵
  - Kills process with taskkill
  PID:920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1560"
  2⤵
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3076"
  2⤵
  - Kills process with taskkill
  PID:992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3076"
  2⤵
  PID:3492
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3076"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3120"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3120"
  2⤵
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3120"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3152"
  2⤵
  PID:3780
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3152"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3152"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:292
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3160"
  2⤵
  PID:3408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3160"
  2⤵
  - Kills process with taskkill
  PID:3276
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3160"
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3168"
  2⤵
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3168"
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3168"
  2⤵
  PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2037021965-1531876281-1390733096-120092314512252359351305406814-1381655624-1540215805"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1230147163-656294069936371374-7857344161510347380-2089239577-1948887604-1484986911"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1483301349386931621-11967460011317164218-551314597-3133095976780338371600001000"
1⤵
PID:2400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830337493-1059585019-1202522030-1646127372-195857324-1232792456-1596457835337367862"
1⤵
PID:3648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4242652161868577832483754243110242042778795356-65903635213347261122020254037"
1⤵
PID:3716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "643130517-1864673726-88644053015974790313404223211472147717114655944459251840"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1531567750-681878159492260715-2247294901638110768-13706103951610920404-1799535685"
1⤵
PID:3160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198646365-1555939127-13418483721857788266-174108411986283139716854254062055032201"
1⤵
PID:3308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2091874365913574055462759578-937289795-332581909-1410066357627356089-1533149829"
1⤵
PID:3536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-66160187-908017159127367070410040429153029324-585352754-1880976855-1792863643"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1290624476-642266705611968402483862719-11121939161284963840450949845-61506438"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "832748674-1223004468520840807-5682414991574013099-1634378215-5120421081649814118"
1⤵
PID:3732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-869111973941023317-896672121391482031-106100893919300702641421427648-1587390481"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-571856729-898914091-206903379213784993411464953475-17041702952117460539359030820"
1⤵
PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14053970311934981991165631515-995704833-456149022829554347-5047330091427770156"
1⤵
PID:3180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "97924431421370274225229376761438493848-1313517977-200995589817609291201092616250"
1⤵
PID:3260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "688690152-19932560721932160734-19751650338730609498071712251129880697692726606"
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit