hellokitty | 8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2

Analysis

max time kernel
103s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
Size

477KB
MD5

eab47cbf897c7e9c2dc1009e11d1d928
SHA1

0816c29d03f6612b053db52a245f6c0062967b5d
SHA256

8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2
SHA512

18fb24334b50fb2270eede826e9ec8e5b124b4ed5f14e54a0c7348f1a306bef0d6b1b4059f337aac51970b045ed58d9c6680d9104a30f598196ae9a0726dac53
SSDEEP

3072:oNV+NjSXtz57JtE/Dglskr/gT72ZywWWq/ePVl/uw7cFhUD:oTcjSXDukskWWjzcFCD

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Hellokitty family
hellokitty
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5864	net.exe
5908	net1.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
5148	taskkill.exe
5004	taskkill.exe
4920	taskkill.exe
2196	taskkill.exe
5096	taskkill.exe
4616	taskkill.exe
1716	taskkill.exe
5232	taskkill.exe
2480	taskkill.exe
4432	taskkill.exe
412	taskkill.exe
4204	taskkill.exe
4728	taskkill.exe
2204	taskkill.exe
5404	taskkill.exe
400	taskkill.exe
5320	taskkill.exe
1228	taskkill.exe
1420	taskkill.exe
1944	taskkill.exe
4348	taskkill.exe
4752	taskkill.exe
4968	taskkill.exe
5496	taskkill.exe
4652	taskkill.exe
840	taskkill.exe
4136	taskkill.exe
2072	taskkill.exe
3036	taskkill.exe
4632	taskkill.exe
5200	taskkill.exe
320	taskkill.exe
5020	taskkill.exe
3508	taskkill.exe
3440	taskkill.exe
4712	taskkill.exe
5488	taskkill.exe
5644	taskkill.exe
5780	taskkill.exe
5224	taskkill.exe
5684	taskkill.exe
5848	taskkill.exe
5816	taskkill.exe
4104	taskkill.exe
2144	taskkill.exe
2196	taskkill.exe
720	taskkill.exe
5604	taskkill.exe
3944	taskkill.exe
1724	taskkill.exe
5244	taskkill.exe
5044	taskkill.exe
4848	taskkill.exe
4340	taskkill.exe
5164	taskkill.exe
6068	taskkill.exe
5812	taskkill.exe
776	taskkill.exe
5920	taskkill.exe
5224	taskkill.exe
936	taskkill.exe
4716	taskkill.exe
5056	taskkill.exe
5340	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	5684	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	5232	taskkill.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	5812	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	5200	taskkill.exe
Token: SeDebugPrivilege	5148	taskkill.exe
Token: SeDebugPrivilege	5756	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	5828	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	5164	taskkill.exe
Token: SeDebugPrivilege	5244	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeDebugPrivilege	5648	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5492 wrote to memory of 4136	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	205
PID 5492 wrote to memory of 4136	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	205
PID 5492 wrote to memory of 4136	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	205
PID 5492 wrote to memory of 2196	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	326
PID 5492 wrote to memory of 2196	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	326
PID 5492 wrote to memory of 2196	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	326
PID 5492 wrote to memory of 2072	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 5492 wrote to memory of 2072	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 5492 wrote to memory of 2072	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	90
PID 5492 wrote to memory of 5096	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	94
PID 5492 wrote to memory of 5096	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	94
PID 5492 wrote to memory of 5096	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	94
PID 5492 wrote to memory of 3036	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 5492 wrote to memory of 3036	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 5492 wrote to memory of 3036	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	95
PID 5492 wrote to memory of 5320	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	208
PID 5492 wrote to memory of 5320	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	208
PID 5492 wrote to memory of 5320	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	208
PID 5492 wrote to memory of 4104	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 5492 wrote to memory of 4104	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 5492 wrote to memory of 4104	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	100
PID 5492 wrote to memory of 5224	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	428
PID 5492 wrote to memory of 5224	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	428
PID 5492 wrote to memory of 5224	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	428
PID 5492 wrote to memory of 1860	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	238
PID 5492 wrote to memory of 1860	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	238
PID 5492 wrote to memory of 1860	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	238
PID 5492 wrote to memory of 5684	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	106
PID 5492 wrote to memory of 5684	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	106
PID 5492 wrote to memory of 5684	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	106
PID 5492 wrote to memory of 4204	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	107
PID 5492 wrote to memory of 4204	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	107
PID 5492 wrote to memory of 4204	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	107
PID 5492 wrote to memory of 752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	111
PID 5492 wrote to memory of 752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	111
PID 5492 wrote to memory of 752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	111
PID 5492 wrote to memory of 4616	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 5492 wrote to memory of 4616	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 5492 wrote to memory of 4616	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	113
PID 5492 wrote to memory of 4632	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	114
PID 5492 wrote to memory of 4632	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	114
PID 5492 wrote to memory of 4632	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	114
PID 5492 wrote to memory of 4772	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	116
PID 5492 wrote to memory of 4772	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	116
PID 5492 wrote to memory of 4772	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	116
PID 5492 wrote to memory of 4752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	119
PID 5492 wrote to memory of 4752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	119
PID 5492 wrote to memory of 4752	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	119
PID 5492 wrote to memory of 936	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	121
PID 5492 wrote to memory of 936	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	121
PID 5492 wrote to memory of 936	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	121
PID 5492 wrote to memory of 1408	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	122
PID 5492 wrote to memory of 1408	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	122
PID 5492 wrote to memory of 1408	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	122
PID 5492 wrote to memory of 4968	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	125
PID 5492 wrote to memory of 4968	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	125
PID 5492 wrote to memory of 4968	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	125
PID 5492 wrote to memory of 5056	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	262
PID 5492 wrote to memory of 5056	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	262
PID 5492 wrote to memory of 5056	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	262
PID 5492 wrote to memory of 4480	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	129
PID 5492 wrote to memory of 4480	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	129
PID 5492 wrote to memory of 4480	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	129
PID 5492 wrote to memory of 4888	5492	8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe	261

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe
"C:\Users\Admin\AppData\Local\Temp\8fb025d59e501a545cae40ef222ca22b5722fdd487cdefb3f2e4b0a8635f9bc2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mysql*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im dsa*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Notifier*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im TmListen*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im IBM*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im bes10*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im black*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im robo*
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im copy*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im store.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sql*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im vee*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im postg*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im sage*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:5352
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$ISARS
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQL$MSFW
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$MSFW
    3⤵
    PID:5192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$ISARS
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5940
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLAgent$MSFW
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:1664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLBrowser
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLBrowser
    3⤵
    PID:5244
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ReportServer$ISARS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ReportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SQLWriter
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SQLWriter
    3⤵
    PID:2204
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop WinDefend
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop mr2kserv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mr2kserv
    3⤵
    PID:3620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeADTopology
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeADTopology
    3⤵
    PID:2628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeFBA
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeFBA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeIS
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeIS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSExchangeSA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchangeSA
    3⤵
    PID:2808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ShadowProtectSvc
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ShadowProtectSvc
    3⤵
    PID:5232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPAdminV4
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPAdminV4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTimerV4
  2⤵
  - System Time Discovery
  PID:5864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTimerV4
    3⤵
    - System Time Discovery
    PID:5908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPTraceV4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPTraceV4
    3⤵
    PID:3888
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPUserCodeV4
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPUserCodeV4
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPWriterV4
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPWriterV4
    3⤵
    PID:4476
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop SPSearch4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SPSearch4
    3⤵
    PID:2468
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQLServerADHelper100
    3⤵
    PID:4136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:3052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
    3⤵
    PID:5152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop ibmiasrw
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ibmiasrw
    3⤵
    PID:4652
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBCFMonitorService
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBVSS
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBVSS
    3⤵
    PID:3992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBPOSDBServiceV12
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:1132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:5496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop IISADMIN
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop IISADMIN
    3⤵
    PID:4828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:5224
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB1
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB1
    3⤵
    PID:1312
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB2
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB2
    3⤵
    PID:2376
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB3
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB3
    3⤵
    PID:532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB4
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB4
    3⤵
    PID:5992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB5
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB5
    3⤵
    PID:3544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB6
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB6
    3⤵
    PID:1960
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB7
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB7
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB8
  2⤵
  PID:5276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB8
    3⤵
    PID:5728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB9
    3⤵
    PID:4676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB10
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB10
    3⤵
    PID:6080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB11
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB12
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB12
    3⤵
    PID:1048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB13
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB13
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5796
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB14
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB14
    3⤵
    PID:1388
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB15
  2⤵
  PID:5348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB16
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB16
    3⤵
    PID:3948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB17
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB17
    3⤵
    PID:4056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB18
  2⤵
  PID:1956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB18
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB19
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB19
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB20
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB20
    3⤵
    PID:4132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB21
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB21
    3⤵
    PID:5808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB22
    3⤵
    PID:5144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB23
    3⤵
    PID:1528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB24
  2⤵
  PID:776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB24
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop QuickBooksDB25
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QuickBooksDB25
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5232
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2956"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5452
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2956"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2956"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1736"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1736"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1736"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5068"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5068"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5068"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4812"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4812"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4812"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5040"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5040"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5040"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2096"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2096"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2096"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5276"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5756
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5276"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5276"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5148
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4900"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4900"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4900"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3996"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3996"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3996"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5828
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5776"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5776"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5776"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4824"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4824"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4824"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4352"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4352"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5348
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4352"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5244
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3212
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5348"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5340
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2004"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2556
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2004"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2004"
  2⤵
  PID:4520
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5056"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5672
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5056"
  2⤵
  - Kills process with taskkill
  PID:5848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5056"
  2⤵
  - Kills process with taskkill
  PID:5488
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  - Kills process with taskkill
  PID:1944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1956"
  2⤵
  - Kills process with taskkill
  PID:6068
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - Kills process with taskkill
  PID:5004
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5496
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - Kills process with taskkill
  PID:5816
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2328"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3200"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3200"
  2⤵
  - Kills process with taskkill
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3200"
  2⤵
  - Kills process with taskkill
  PID:4348
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4852
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  - Kills process with taskkill
  PID:4652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2916"
  2⤵
  - Kills process with taskkill
  PID:5780
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5672"
  2⤵
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5672"
  2⤵
  - Kills process with taskkill
  PID:5224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5672"
  2⤵
  - Kills process with taskkill
  PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4964

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5728

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\read_me_lkd.txt

Filesize
1KB

MD5
456f9ee19279b7267f4a39a1d09d23ff

SHA1
ff811ade989d29d81537b1549489b55965e78041

SHA256
76800f4dd8d468918290faced7b06fa0a287930d4c76e7719d49b41ba43a45c7

SHA512
5117b46ced621edb9d2552539613e76982d4d7f45ba2a709d92b6b0eab3f955af596fd5079fdc9326f784804a7c5f81e5d1e7a3bd3373b6fe50235afa87f8f07

Download Submit