Analysis
-
max time kernel
93s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
10/04/2025, 09:12
General
-
Target
192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c.exe
-
Size
477KB
-
MD5
16153e9582cfe94a06fc670a5d851ed9
-
SHA1
9a59a3310086462fd4bbf4781995464eb889974c
-
SHA256
192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c
-
SHA512
f6b755d41087816635509cd92c747ac29095313b0f20e287a0b8d3b2be41b1e20ad7dce71d9b39b88981332250b57127cb686d898afeb5a741411e0c53454c5a
-
SSDEEP
3072:qNV+7SXjtEjDg/s6L7h/gT72ZywWWq/ePVl/uw7cFh:qTwSXNUQmkWWjzcF
Score
10/10
Malware Config
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Hellokitty family
-
Renames multiple (179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Time Discovery 1 TTPs 2 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Kills process with taskkill 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c.exe"C:\Users\Admin\AppData\Local\Temp\192acfe0d55eef4c49cb7c803e7130d2f5ecd6bdee446f1c065ea6dee489ea6c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im mysql*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im dsa*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ds_monitor*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Notifier*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im TmListen*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im iVPAgent*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im IBM*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im bes10*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im black*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im robo*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im copy*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im store.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sql*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im vee*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im wrsa*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im wrsa.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im postg*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sage*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper1002⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1003⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQL$ISARS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQL$MSFW2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$ISARS2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLAgent$MSFW2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ReportServer$ISARS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop mr2kserv2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mr2kserv3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeADTopology2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeADTopology3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeFBA2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeFBA3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeIS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeIS3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSExchangeSA2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSExchangeSA3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ShadowProtectSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ShadowProtectSvc3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPAdminV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPAdminV43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPTimerV42⤵
- System Time Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTimerV43⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPTraceV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPTraceV43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPUserCodeV42⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPUserCodeV43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPWriterV42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPWriterV43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop SPSearch42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SPSearch43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop MSSQLServerADHelper1002⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1003⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop IISADMIN2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop firebirdguardiandefaultinstance3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop ibmiasrw2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ibmiasrw3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBCFMonitorService2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBVSS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QBPOSDBServiceV122⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBPOSDBServiceV123⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop IISADMIN2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop IISADMIN3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB13⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB23⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB33⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB42⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB43⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB52⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB53⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB62⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB63⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB72⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB73⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB83⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB92⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB93⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB102⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB103⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB112⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB113⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB122⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB123⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB132⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB133⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB142⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB143⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB152⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB153⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB162⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB163⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB172⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB173⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB182⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB183⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB192⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB193⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB202⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB203⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB212⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB213⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB222⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB223⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB232⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB233⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB242⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB243⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop QuickBooksDB252⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QuickBooksDB253⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2556"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2556"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2556"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2876"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2876"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2876"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3252"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3252"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3252"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5216"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5216"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5216"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5272"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5272"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5272"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5288"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5288"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5288"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5328"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5536"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5592"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5680"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5680"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5680"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5768"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5768"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5768"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5844"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5844"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5844"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5904"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5904"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5904"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6100"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6100"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6100"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5104"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4856"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4856"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4856"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1400"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1400"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1400"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5824"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2268"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2268"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2268"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3180"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3180"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3180"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5232"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5232"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5232"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2240"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2240"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2240"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2248"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2248"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2248"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5108"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5108"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5108"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1464"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1464"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1464"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1604"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1604"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1604"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2788"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2788"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2788"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3920"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3920"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3920"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5392"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5392"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5392"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1764"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1764"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1764"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1896"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1896"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1896"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2340"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2340"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2340"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4452"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4452"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4452"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1684"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1684"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1684"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3476"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3476"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3476"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5336"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5336"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5336"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4136"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4136"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4136"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4908"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4128"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4128"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "4128"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5788"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5788"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5788"2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 49bf88c5d3f52adf4a614f42c2228c82 2/HijjhgU0a0VSjgh5I1pA.0.1.0.0.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5456f9ee19279b7267f4a39a1d09d23ff
SHA1ff811ade989d29d81537b1549489b55965e78041
SHA25676800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7
SHA5125117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07