Analysis
-
max time kernel
80s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
10/04/2025, 08:28
General
-
Target
3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe
-
Size
155KB
-
MD5
af568e8a6060812f040f0cb0fd6f5a7b
-
SHA1
e7f0c17b338d78c4f8b82b032af9f81828512b30
-
SHA256
3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9
-
SHA512
2c44272dcf130a95ea0e83fa02d2629edecf94b16452127f2e177f00f4bf48f2e306ec53b28d2005a27e8b683dc683fb54146a711233aa1e1c4256a9e4ac979b
-
SSDEEP
3072:eaV+7SXvezfVdzGt3/ygs7vZoVCrmjePFpUSFC:eI4SXvktuo6CK+KSF
Score
10/10
Malware Config
Signatures
-
HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
-
Hellokitty family
-
Renames multiple (181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Time Discovery 1 TTPs 2 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Kills process with taskkill 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe"C:\Users\Admin\AppData\Local\Temp\3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "mysql*"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "dsa*"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "Ntrtscan*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "ds_monitor*"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "Notifier*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "TmListen*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "iVPAgent*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "CNTAoSMgr*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "IBM*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "bes10*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "black*"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "robo*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "copy*"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "store.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "sql*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "vee*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "wrsa*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "wrsa.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "postg*"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im "sage*"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$ISARS"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$ISARS"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQL$MSFW"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQL$MSFW"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$ISARS"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ISARS"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLAgent$MSFW"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLAgent$MSFW"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLBrowser"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLBrowser"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ReportServer$ISARS"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ReportServer$ISARS"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SQLWriter"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SQLWriter"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "WinDefend"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WinDefend"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "mr2kserv"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "mr2kserv"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeADTopology"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeADTopology"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeFBA"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeFBA"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeIS"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSExchangeSA"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ShadowProtectSvc"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ShadowProtectSvc"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPAdminV4"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPAdminV4"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPTimerV4"2⤵
- System Time Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPTimerV4"3⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPTraceV4"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPTraceV4"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPUserCodeV4"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPUserCodeV4"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPWriterV4"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPWriterV4"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "SPSearch4"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SPSearch4"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IISADMIN"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IISADMIN"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "firebirdguardiandefaultinstance"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "firebirdguardiandefaultinstance"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "ibmiasrw"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "ibmiasrw"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QBCFMonitorService"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QBCFMonitorService"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QBVSS"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QBVSS"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QBPOSDBServiceV12"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QBPOSDBServiceV12"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "IISADMIN"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "IISADMIN"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB1"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB1"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB2"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB2"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB3"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB3"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB4"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB4"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB5"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB5"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB6"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB6"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB7"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB7"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB8"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB8"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB9"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB9"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB10"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB10"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB11"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB11"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB12"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB12"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB13"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB13"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB14"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB14"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB15"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB15"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB16"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB16"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB17"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB17"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB18"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB18"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB19"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB19"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB20"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB20"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB21"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB21"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB22"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB22"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB23"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB23"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB24"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB24"3⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "QuickBooksDB25"2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "QuickBooksDB25"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2712"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2712"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2712"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2992"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2992"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2992"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2708"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2708"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2708"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3556"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3556"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3556"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2880"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2880"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2880"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2864"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2864"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "2864"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3036"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3036"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3036"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1200"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1200"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "1200"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3748"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3748"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "3748"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5348"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5004"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5004"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5004"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5996"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5380"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6132"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6132"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6132"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5576"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5576"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5576"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6096"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6096"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6096"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5664"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5664"2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5664"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "5836"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6068"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6068"2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /PID "6068"2⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e1d39353cc2b6298f37abb53b102c6f7 ZcImzxL73ECIAVEmG0k59g.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
902B
MD5b0b13b5db3224cdbc0c6e3422e442cff
SHA114afcdad871b460fde1b0dfe239b982d67cd5d1c
SHA256168c0d06834b7cb7543c85cafa8143485f4a4d3f6730bd7585999c220287e4f5
SHA51258ca8cd1ae64e063df2ce52350a81e4bd8a45cc2f484fd9674f0021567afa6ba571ed8757fce333e30eb8bf49ae5e22c2c0cb26c41b00e401c1a6c62b8bdaadb