e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
300s
max time network
240s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101.ex_.exe
Size

72KB
MD5

8ce930987752f9790864543b6da34317
SHA1

7d89ae64e1dae59e8e85749b875aa712a4fc5e36
SHA256

5bce08b97565564ccdebec5b9c45ac680e0b3f01ddde2461f1dff4a9bbe50836
SHA512

456c1eb90d51145a785ee47c15d49b0bc9ce9a14f636bbac69e4df19fb2ab8b6e4f785657797042561e0d12e237fc223537220493d9a4ef3f1b29cda373fb65d
SSDEEP

1536:7L7EqNd1A9O75xPIFcQaxXoNzgueHhkKLcjKsMFYM6dN:73h7ecBmxghHxLcjKsHN

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

pid	process
1552	taskkill.exe
2644	taskkill.exe
2700	taskkill.exe
1604	taskkill.exe
2936	taskkill.exe
2396	taskkill.exe
2568	taskkill.exe
1972	taskkill.exe
2956	taskkill.exe
1612	taskkill.exe
584	taskkill.exe
2620	taskkill.exe
2140	taskkill.exe
3048	taskkill.exe
2500	taskkill.exe
2640	taskkill.exe
2732	taskkill.exe
2052	taskkill.exe
1436	taskkill.exe
2140	taskkill.exe
1740	taskkill.exe
2112	taskkill.exe
924	taskkill.exe
2928	taskkill.exe
2984	taskkill.exe
3032	taskkill.exe
2016	taskkill.exe
3048	taskkill.exe
872	taskkill.exe
1860	taskkill.exe
2700	taskkill.exe
484	taskkill.exe
2456	taskkill.exe
2804	taskkill.exe
2684	taskkill.exe
2492	taskkill.exe
2932	taskkill.exe
560	taskkill.exe
2520	taskkill.exe
2740	taskkill.exe
2476	taskkill.exe
2992	taskkill.exe
1480	taskkill.exe
1156	taskkill.exe
892	taskkill.exe
2932	taskkill.exe
1436	taskkill.exe
2904	taskkill.exe
1172	taskkill.exe
876	taskkill.exe
3016	taskkill.exe
1480	taskkill.exe
2452	taskkill.exe
2672	taskkill.exe
1424	taskkill.exe
1736	taskkill.exe
2060	taskkill.exe
2648	taskkill.exe
692	taskkill.exe
1924	taskkill.exe
2056	taskkill.exe
1056	taskkill.exe
2860	taskkill.exe
3044	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

101.ex_.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveActive = "0"	101.ex_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

101.ex_.exe

pid process

2604 101.ex_.exe
2604 101.ex_.exe

pid	process
2604	101.ex_.exe
2604	101.ex_.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

101.ex_.exe

description	pid	process	target process
PID 2604 wrote to memory of 2684	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2684	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2684	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2684	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1248	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1248	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1248	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1248	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2644	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2644	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2644	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2644	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2192	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2192	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2192	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2192	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2396	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2396	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2396	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2396	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2052	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2052	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2052	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2052	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1804	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1804	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1804	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1804	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1540	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1540	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1540	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1540	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1740	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1740	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1740	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1740	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1980	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1980	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1980	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1980	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1172	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1172	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1172	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 1172	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2264	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2264	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2264	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2264	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2348	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2348	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2348	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2348	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2860	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2860	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2860	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2860	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2940	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2940	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2940	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2940	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2836	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2836	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2836	2604	101.ex_.exe	taskkill.exe
PID 2604 wrote to memory of 2836	2604	101.ex_.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\101.ex_.exe
"C:\Users\Admin\AppData\Local\Temp\101.ex_.exe"
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2412
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-4-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2604-3-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-8-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-7-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-6-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-5-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-41-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-71-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-72-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-70-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-69-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-68-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-67-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-66-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-65-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-64-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-63-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-61-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-59-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-58-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-57-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-54-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-53-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-52-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-51-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-50-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-49-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-48-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-47-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-46-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-45-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-44-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-43-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-42-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-79-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-78-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-142-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-141-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-140-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-139-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-138-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-137-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-136-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-135-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-134-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-133-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-132-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-131-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-130-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-129-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-160-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2604-159-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2604-182-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-181-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-180-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-179-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-184-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-183-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-185-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-186-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-188-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-187-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-190-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-189-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-192-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2604-191-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download