hellokitty | 17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef

Analysis

max time kernel
105s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe
Size

166KB
MD5

e333299d9f7e4c064746e177c84bb5c8
SHA1

7dfa402cebfb31ee8e898aff3a645ce87e32c70a
SHA256

17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef
SHA512

8907f9ac9854ecf0ea9a36eee8299febb1a924e26c017c8d756824de0ab67165155bf003581e15ee93468abd8f1596c03626a01657cdc623be461990493a670c
SSDEEP

3072:ONV+7SXjtEjDg/s6L7h/gT72ZywWWq/ePVl/uw7cFhDc:OTwSXNUQmkWWjzcFW

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Hellokitty family
hellokitty
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5768	net.exe
4624	net1.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
4792	taskkill.exe
5260	taskkill.exe
5256	taskkill.exe
2360	taskkill.exe
408	taskkill.exe
3128	taskkill.exe
3624	taskkill.exe
5960	taskkill.exe
3980	taskkill.exe
3440	taskkill.exe
5964	taskkill.exe
4784	taskkill.exe
5588	taskkill.exe
4792	taskkill.exe
5184	taskkill.exe
2884	taskkill.exe
4804	taskkill.exe
1988	taskkill.exe
3960	taskkill.exe
704	taskkill.exe
400	taskkill.exe
432	taskkill.exe
4816	taskkill.exe
1320	taskkill.exe
4524	taskkill.exe
2844	taskkill.exe
2228	taskkill.exe
2648	taskkill.exe
3640	taskkill.exe
2276	taskkill.exe
3508	taskkill.exe
5740	taskkill.exe
524	taskkill.exe
4240	taskkill.exe
4544	taskkill.exe
5600	taskkill.exe
2336	taskkill.exe
1372	taskkill.exe
5424	taskkill.exe
5788	taskkill.exe
4476	taskkill.exe
5016	taskkill.exe
5788	taskkill.exe
4908	taskkill.exe
2152	taskkill.exe
5964	taskkill.exe
3048	taskkill.exe
1844	taskkill.exe
2740	taskkill.exe
5936	taskkill.exe
5984	taskkill.exe
4444	taskkill.exe
3204	taskkill.exe
684	taskkill.exe
5620	taskkill.exe
3944	taskkill.exe
2840	taskkill.exe
2680	taskkill.exe
4924	taskkill.exe
1684	taskkill.exe
5552	taskkill.exe
3404	taskkill.exe
2776	taskkill.exe
2608	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe
5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	5448	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	5960	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	5600	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	5580	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	5184	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	5164	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5456 wrote to memory of 2968	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	208
PID 5456 wrote to memory of 2968	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	208
PID 5456 wrote to memory of 2968	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	208
PID 5456 wrote to memory of 704	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	203
PID 5456 wrote to memory of 704	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	203
PID 5456 wrote to memory of 704	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	203
PID 5456 wrote to memory of 4364	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	92
PID 5456 wrote to memory of 4364	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	92
PID 5456 wrote to memory of 4364	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	92
PID 5456 wrote to memory of 2776	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	94
PID 5456 wrote to memory of 2776	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	94
PID 5456 wrote to memory of 2776	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	94
PID 5456 wrote to memory of 5788	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	438
PID 5456 wrote to memory of 5788	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	438
PID 5456 wrote to memory of 5788	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	438
PID 5456 wrote to memory of 848	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	98
PID 5456 wrote to memory of 848	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	98
PID 5456 wrote to memory of 848	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	98
PID 5456 wrote to memory of 2548	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	364
PID 5456 wrote to memory of 2548	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	364
PID 5456 wrote to memory of 2548	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	364
PID 5456 wrote to memory of 4488	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	102
PID 5456 wrote to memory of 4488	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	102
PID 5456 wrote to memory of 4488	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	102
PID 5456 wrote to memory of 3640	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	104
PID 5456 wrote to memory of 3640	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	104
PID 5456 wrote to memory of 3640	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	104
PID 5456 wrote to memory of 5448	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	107
PID 5456 wrote to memory of 5448	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	107
PID 5456 wrote to memory of 5448	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	107
PID 5456 wrote to memory of 2608	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	108
PID 5456 wrote to memory of 2608	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	108
PID 5456 wrote to memory of 2608	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	108
PID 5456 wrote to memory of 3252	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	423
PID 5456 wrote to memory of 3252	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	423
PID 5456 wrote to memory of 3252	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	423
PID 5456 wrote to memory of 4792	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	297
PID 5456 wrote to memory of 4792	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	297
PID 5456 wrote to memory of 4792	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	297
PID 5456 wrote to memory of 4908	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	480
PID 5456 wrote to memory of 4908	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	480
PID 5456 wrote to memory of 4908	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	480
PID 5456 wrote to memory of 5984	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	416
PID 5456 wrote to memory of 5984	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	416
PID 5456 wrote to memory of 5984	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	416
PID 5456 wrote to memory of 5960	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	118
PID 5456 wrote to memory of 5960	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	118
PID 5456 wrote to memory of 5960	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	118
PID 5456 wrote to memory of 2152	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	415
PID 5456 wrote to memory of 2152	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	415
PID 5456 wrote to memory of 2152	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	415
PID 5456 wrote to memory of 5600	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	368
PID 5456 wrote to memory of 5600	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	368
PID 5456 wrote to memory of 5600	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	368
PID 5456 wrote to memory of 5964	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	448
PID 5456 wrote to memory of 5964	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	448
PID 5456 wrote to memory of 5964	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	448
PID 5456 wrote to memory of 5588	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	127
PID 5456 wrote to memory of 5588	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	127
PID 5456 wrote to memory of 5588	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	127
PID 5456 wrote to memory of 3412	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	436
PID 5456 wrote to memory of 3412	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	436
PID 5456 wrote to memory of 3412	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	436
PID 5456 wrote to memory of 4140	5456	17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe	358

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe
"C:\Users\Admin\AppData\Local\Temp\17dc9bb50f33427f62ccf8e9c844c47300eec8be13e2342b119b1c88a2b46bef.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:2988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    PID:6016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:2284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    PID:5512
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:4848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:1184
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    PID:2344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:2472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:4172
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:4236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4672
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    PID:5076
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:4252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:400
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    PID:5188
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:5768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    PID:4624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:3452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:5748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:4908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:5104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:6096
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    PID:3912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    PID:1736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    PID:3624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:1988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:5844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:3528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:5652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:4428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:4196
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:5728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:4176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    PID:3480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:2252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    PID:3616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:4524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:5164
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  PID:3648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:1844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:1912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:5272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:4800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    PID:5160
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2756"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2756"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2756"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2836"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2836"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2836"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3056"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3056"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3056"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4716"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4716"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4716"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5844
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2460"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5952
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2460"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2460"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4228"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4228"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1236
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4228"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1596"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1596"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1596"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3792"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3792"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3792"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4836"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4836"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4836"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4804"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4804"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4804"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5836
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2896"
  2⤵
  PID:2548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3792
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2896"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2896"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5084"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5084"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5084"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2592"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5164
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2592"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2592"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2360"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2360"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2360"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2932"
  2⤵
  PID:5432
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2932"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2932"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5276
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5540"
  2⤵
  - Kills process with taskkill
  PID:1372
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5736
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5540"
  2⤵
  - Kills process with taskkill
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5540"
  2⤵
  PID:5272
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5512"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5512"
  2⤵
  - Kills process with taskkill
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5512"
  2⤵
  PID:4128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2904"
  2⤵
  PID:5452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4428
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2904"
  2⤵
  PID:2276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2904"
  2⤵
  - Kills process with taskkill
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5888"
  2⤵
  PID:4756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5984
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5888"
  2⤵
  PID:2152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5888"
  2⤵
  - Kills process with taskkill
  PID:684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5664"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5664"
  2⤵
  PID:3172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3252
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5664"
  2⤵
  - Kills process with taskkill
  PID:2740
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5980"
  2⤵
  - Kills process with taskkill
  PID:3960
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5980"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5980"
  2⤵
  - Kills process with taskkill
  PID:5620
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  PID:3108
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  - Kills process with taskkill
  PID:5552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3412
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  PID:3408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  - Kills process with taskkill
  PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  - Kills process with taskkill
  PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3648"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4816
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3648"
  2⤵
  PID:3760
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3648"
  2⤵
  - Kills process with taskkill
  PID:5964
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3568"
  2⤵
  - Kills process with taskkill
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3568"
  2⤵
  - Kills process with taskkill
  PID:4784
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3568"
  2⤵
  - Kills process with taskkill
  PID:408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3976"
  2⤵
  - Kills process with taskkill
  PID:3128
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3976"
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3976"
  2⤵
  - Kills process with taskkill
  PID:3624
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5272"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5272"
  2⤵
  - Kills process with taskkill
  PID:3404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5272"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5160
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5560"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit