hellokitty | e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
Size

477KB
MD5

dedaf87d9f14524ec3fe7c3d2e304bf5
SHA1

be8574663f31227d834bf3adc31c386533a7632c
SHA256

e22137c5b034e0bf022ee389b607d3e0cffdbb25355918135f1536a7e510442b
SHA512

ddde7e1d9ba6c684d1e2a9c5f324e1d294f1f5899e3994f59e3b5a68b3a5c058c01f437ebf147c08c8d8a4308696aa38cbbf62b415e5344d20db02551827afea
SSDEEP

3072:OWNV+TSXAtEyDgEws1/gT72ZywWWq/ePVl/uw7cFhpD:OWTASXh6mkWWjzcFLD

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Renames multiple (163) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4324	net.exe
4004	net1.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3136	taskkill.exe
808	taskkill.exe
4160	taskkill.exe
4644	taskkill.exe
4776	taskkill.exe
2996	taskkill.exe
1800	taskkill.exe
2340	taskkill.exe
2456	taskkill.exe
3928	taskkill.exe
4644	taskkill.exe
1516	taskkill.exe
1956	taskkill.exe
4292	taskkill.exe
2776	taskkill.exe
2928	taskkill.exe
1100	taskkill.exe
3900	taskkill.exe
4804	taskkill.exe
4112	taskkill.exe
4208	taskkill.exe
4428	taskkill.exe
3528	taskkill.exe
1596	taskkill.exe
1540	taskkill.exe
1548	taskkill.exe
4588	taskkill.exe
3656	taskkill.exe
5064	taskkill.exe
1000	taskkill.exe
1248	taskkill.exe
1308	taskkill.exe
636	taskkill.exe
4036	taskkill.exe
4436	taskkill.exe
3376	taskkill.exe
2804	taskkill.exe
3908	taskkill.exe
2000	taskkill.exe
3952	taskkill.exe
5060	taskkill.exe
4748	taskkill.exe
1168	taskkill.exe
2840	taskkill.exe
1992	taskkill.exe
676	taskkill.exe
4076	taskkill.exe
4200	taskkill.exe
3960	taskkill.exe
2636	taskkill.exe
3528	taskkill.exe
1344	taskkill.exe
1356	taskkill.exe
4696	taskkill.exe
3576	taskkill.exe
4800	taskkill.exe
3440	taskkill.exe
1896	taskkill.exe
3008	taskkill.exe
2576	taskkill.exe
3368	taskkill.exe
1948	taskkill.exe
4348	taskkill.exe
952	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	3376	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2456	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	85
PID 2060 wrote to memory of 2456	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	85
PID 2060 wrote to memory of 2456	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	85
PID 2060 wrote to memory of 3968	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	87
PID 2060 wrote to memory of 3968	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	87
PID 2060 wrote to memory of 3968	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	87
PID 2060 wrote to memory of 4292	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	89
PID 2060 wrote to memory of 4292	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	89
PID 2060 wrote to memory of 4292	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	89
PID 2060 wrote to memory of 2684	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	91
PID 2060 wrote to memory of 2684	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	91
PID 2060 wrote to memory of 2684	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	91
PID 2060 wrote to memory of 4364	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	396
PID 2060 wrote to memory of 4364	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	396
PID 2060 wrote to memory of 4364	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	396
PID 2060 wrote to memory of 3952	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	264
PID 2060 wrote to memory of 3952	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	264
PID 2060 wrote to memory of 3952	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	264
PID 2060 wrote to memory of 4428	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	96
PID 2060 wrote to memory of 4428	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	96
PID 2060 wrote to memory of 4428	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	96
PID 2060 wrote to memory of 3376	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	164
PID 2060 wrote to memory of 3376	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	164
PID 2060 wrote to memory of 3376	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	164
PID 2060 wrote to memory of 2964	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	102
PID 2060 wrote to memory of 2964	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	102
PID 2060 wrote to memory of 2964	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	102
PID 2060 wrote to memory of 4516	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	189
PID 2060 wrote to memory of 4516	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	189
PID 2060 wrote to memory of 4516	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	189
PID 2060 wrote to memory of 1000	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	272
PID 2060 wrote to memory of 1000	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	272
PID 2060 wrote to memory of 1000	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	272
PID 2060 wrote to memory of 4876	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	108
PID 2060 wrote to memory of 4876	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	108
PID 2060 wrote to memory of 4876	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	108
PID 2060 wrote to memory of 4644	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	424
PID 2060 wrote to memory of 4644	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	424
PID 2060 wrote to memory of 4644	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	424
PID 2060 wrote to memory of 2636	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	112
PID 2060 wrote to memory of 2636	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	112
PID 2060 wrote to memory of 2636	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	112
PID 2060 wrote to memory of 1248	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	432
PID 2060 wrote to memory of 1248	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	432
PID 2060 wrote to memory of 1248	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	432
PID 2060 wrote to memory of 3196	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	283
PID 2060 wrote to memory of 3196	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	283
PID 2060 wrote to memory of 3196	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	283
PID 2060 wrote to memory of 3236	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	374
PID 2060 wrote to memory of 3236	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	374
PID 2060 wrote to memory of 3236	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	374
PID 2060 wrote to memory of 3528	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	378
PID 2060 wrote to memory of 3528	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	378
PID 2060 wrote to memory of 3528	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	378
PID 2060 wrote to memory of 1344	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	122
PID 2060 wrote to memory of 1344	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	122
PID 2060 wrote to memory of 1344	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	122
PID 2060 wrote to memory of 1308	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	364
PID 2060 wrote to memory of 1308	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	364
PID 2060 wrote to memory of 1308	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	364
PID 2060 wrote to memory of 2632	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	354
PID 2060 wrote to memory of 2632	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	354
PID 2060 wrote to memory of 2632	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	354
PID 2060 wrote to memory of 1288	2060	20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe	361

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe
"C:\Users\Admin\AppData\Local\Temp\20240910dedaf87d9f14524ec3fe7c3d2e304bf5cobaltstrikehellokitty.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:1856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:4548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:1688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:5104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    PID:5060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:1752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:3596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:2500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    PID:4976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:2152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:672
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:4324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Time Discovery
    PID:4004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:1568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:3768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:3092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:3208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:2936
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:1580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:4824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:1956
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:1308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:2528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:212
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:3868
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:2276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    PID:4748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:4224
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:3608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:5112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    PID:1180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    PID:1708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:4392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    - System Location Discovery: System Language Discovery
    PID:792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  PID:1364
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:3056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2576"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2576"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2576"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2824"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2824"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1360
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2824"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2616"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2616"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2616"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2104
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3236"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3236"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3236"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2840"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2840"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2840"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1580"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1580"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1580"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2504"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3040"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3040"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3040"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2624"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2624"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3056
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2624"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4636"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4636"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4636"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4436"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4436"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4864
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4436"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1724"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1724"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1724"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3560"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3560"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3560"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2000"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4756
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2000"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2000"
  2⤵
  - Kills process with taskkill
  PID:1948
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2124"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2124"
  2⤵
  - Kills process with taskkill
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2124"
  2⤵
  PID:3668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1304"
  2⤵
  - Kills process with taskkill
  PID:1992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1304"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4036
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1304"
  2⤵
  PID:3864
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3092"
  2⤵
  - Kills process with taskkill
  PID:4436
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3092"
  2⤵
  - Kills process with taskkill
  PID:4348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5104
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3092"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1640"
  2⤵
  - Kills process with taskkill
  PID:4804
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1640"
  2⤵
  - Kills process with taskkill
  PID:5064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1640"
  2⤵
  PID:3488
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4832"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4832"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4696
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4832"
  2⤵
  - Kills process with taskkill
  PID:3576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4188"
  2⤵
  PID:3592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4188"
  2⤵
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4188"
  2⤵
  - Kills process with taskkill
  PID:4112
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3960"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4976
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3960"
  2⤵
  - Kills process with taskkill
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3960"
  2⤵
  - Kills process with taskkill
  PID:3960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1364"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1364"
  2⤵
  - Kills process with taskkill
  PID:4800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1364"
  2⤵
  PID:1248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2452"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4208
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2452"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2452"
  2⤵
  - Kills process with taskkill
  PID:3136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4720"
  2⤵
  - Kills process with taskkill
  PID:808
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5112
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4720"
  2⤵
  - Kills process with taskkill
  PID:4160
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4720"
  2⤵
  - Kills process with taskkill
  PID:2340
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 43vhecoqsk6+XxLXqQKa8A.0.2
1⤵
PID:3960

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit