hellokitty | 3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9

Analysis

max time kernel
102s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe
Size

155KB
MD5

af568e8a6060812f040f0cb0fd6f5a7b
SHA1

e7f0c17b338d78c4f8b82b032af9f81828512b30
SHA256

3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9
SHA512

2c44272dcf130a95ea0e83fa02d2629edecf94b16452127f2e177f00f4bf48f2e306ec53b28d2005a27e8b683dc683fb54146a711233aa1e1c4256a9e4ac979b
SSDEEP

3072:eaV+7SXvezfVdzGt3/ygs7vZoVCrmjePFpUSFC:eI4SXvktuo6CK+KSF

Score

10^/10

hellokitty discovery ransomware

Malware Config

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty
Hellokitty family
hellokitty
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5804	net.exe
5748	net1.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
4932	taskkill.exe
4452	taskkill.exe
3928	taskkill.exe
60	taskkill.exe
1140	taskkill.exe
4188	taskkill.exe
3480	taskkill.exe
932	taskkill.exe
1304	taskkill.exe
4560	taskkill.exe
3772	taskkill.exe
3588	taskkill.exe
2748	taskkill.exe
1076	taskkill.exe
1700	taskkill.exe
5448	taskkill.exe
4648	taskkill.exe
5152	taskkill.exe
3752	taskkill.exe
228	taskkill.exe
5380	taskkill.exe
4924	taskkill.exe
3660	taskkill.exe
668	taskkill.exe
5164	taskkill.exe
2388	taskkill.exe
4388	taskkill.exe
4476	taskkill.exe
1620	taskkill.exe
4028	taskkill.exe
3456	taskkill.exe
4072	taskkill.exe
3612	taskkill.exe
6136	taskkill.exe
1968	taskkill.exe
3324	taskkill.exe
5160	taskkill.exe
2136	taskkill.exe
1320	taskkill.exe
5756	taskkill.exe
2648	taskkill.exe
5748	taskkill.exe
4236	taskkill.exe
3232	taskkill.exe
636	taskkill.exe
4932	taskkill.exe
1600	taskkill.exe
5684	taskkill.exe
3048	taskkill.exe
4572	taskkill.exe
3536	taskkill.exe
4540	taskkill.exe
412	taskkill.exe
3644	taskkill.exe
2424	taskkill.exe
408	taskkill.exe
5152	taskkill.exe
5428	taskkill.exe
1200	taskkill.exe
4924	taskkill.exe
5824	taskkill.exe
5828	taskkill.exe
2760	taskkill.exe
3560	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe
388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	5684	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	5672	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	5448	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	5980	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeDebugPrivilege	60	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	5380	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	5164	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	5844	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 668	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	86
PID 388 wrote to memory of 668	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	86
PID 388 wrote to memory of 668	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	86
PID 388 wrote to memory of 2904	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	88
PID 388 wrote to memory of 2904	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	88
PID 388 wrote to memory of 2904	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	88
PID 388 wrote to memory of 2424	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	89
PID 388 wrote to memory of 2424	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	89
PID 388 wrote to memory of 2424	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	89
PID 388 wrote to memory of 5136	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	91
PID 388 wrote to memory of 5136	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	91
PID 388 wrote to memory of 5136	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	91
PID 388 wrote to memory of 5684	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	94
PID 388 wrote to memory of 5684	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	94
PID 388 wrote to memory of 5684	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	94
PID 388 wrote to memory of 2532	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	96
PID 388 wrote to memory of 2532	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	96
PID 388 wrote to memory of 2532	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	96
PID 388 wrote to memory of 5672	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	98
PID 388 wrote to memory of 5672	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	98
PID 388 wrote to memory of 5672	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	98
PID 388 wrote to memory of 1032	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	100
PID 388 wrote to memory of 1032	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	100
PID 388 wrote to memory of 1032	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	100
PID 388 wrote to memory of 4708	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	102
PID 388 wrote to memory of 4708	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	102
PID 388 wrote to memory of 4708	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	102
PID 388 wrote to memory of 4840	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	104
PID 388 wrote to memory of 4840	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	104
PID 388 wrote to memory of 4840	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	104
PID 388 wrote to memory of 4296	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	106
PID 388 wrote to memory of 4296	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	106
PID 388 wrote to memory of 4296	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	106
PID 388 wrote to memory of 5448	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	507
PID 388 wrote to memory of 5448	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	507
PID 388 wrote to memory of 5448	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	507
PID 388 wrote to memory of 932	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	111
PID 388 wrote to memory of 932	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	111
PID 388 wrote to memory of 932	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	111
PID 388 wrote to memory of 4056	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	113
PID 388 wrote to memory of 4056	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	113
PID 388 wrote to memory of 4056	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	113
PID 388 wrote to memory of 224	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	499
PID 388 wrote to memory of 224	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	499
PID 388 wrote to memory of 224	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	499
PID 388 wrote to memory of 5980	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	117
PID 388 wrote to memory of 5980	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	117
PID 388 wrote to memory of 5980	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	117
PID 388 wrote to memory of 4344	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	257
PID 388 wrote to memory of 4344	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	257
PID 388 wrote to memory of 4344	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	257
PID 388 wrote to memory of 6120	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	120
PID 388 wrote to memory of 6120	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	120
PID 388 wrote to memory of 6120	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	120
PID 388 wrote to memory of 5772	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	123
PID 388 wrote to memory of 5772	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	123
PID 388 wrote to memory of 5772	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	123
PID 388 wrote to memory of 3324	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	398
PID 388 wrote to memory of 3324	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	398
PID 388 wrote to memory of 3324	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	398
PID 388 wrote to memory of 3408	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	127
PID 388 wrote to memory of 3408	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	127
PID 388 wrote to memory of 3408	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	127
PID 388 wrote to memory of 3504	388	3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe
"C:\Users\Admin\AppData\Local\Temp\3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "mysql*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "dsa*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Ntrtscan*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "ds_monitor*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Notifier*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "TmListen*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "iVPAgent*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "CNTAoSMgr*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "IBM*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "bes10*"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "black*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "robo*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "copy*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "store.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sql*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "vee*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6120
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "postg*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sage*"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    PID:1620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$ISARS"
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ISARS"
    3⤵
    PID:4072
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$MSFW"
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$MSFW"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$ISARS"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ISARS"
    3⤵
    PID:5840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$MSFW"
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$MSFW"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4572
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLBrowser"
  2⤵
  PID:228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser"
    3⤵
    PID:1888
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ReportServer$ISARS"
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$ISARS"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLWriter"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "WinDefend"
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:1756
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "mr2kserv"
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mr2kserv"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeADTopology"
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeADTopology"
    3⤵
    PID:1684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeFBA"
  2⤵
  PID:408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeFBA"
    3⤵
    PID:5740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeIS"
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeSA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA"
    3⤵
    PID:4824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ShadowProtectSvc"
  2⤵
  PID:948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShadowProtectSvc"
    3⤵
    PID:4552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPAdminV4"
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPAdminV4"
    3⤵
    PID:1480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTimerV4"
  2⤵
  - System Time Discovery
  PID:5804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTimerV4"
    3⤵
    - System Time Discovery
    PID:5748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTraceV4"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTraceV4"
    3⤵
    PID:3016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPUserCodeV4"
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPUserCodeV4"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPWriterV4"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPWriterV4"
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPSearch4"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPSearch4"
    3⤵
    PID:60
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "firebirdguardiandefaultinstance"
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "firebirdguardiandefaultinstance"
    3⤵
    PID:5468
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ibmiasrw"
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ibmiasrw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBCFMonitorService"
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBCFMonitorService"
    3⤵
    PID:2984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBVSS"
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBVSS"
    3⤵
    PID:5876
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBPOSDBServiceV12"
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBPOSDBServiceV12"
    3⤵
    PID:5532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    PID:6108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:4016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB1"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB1"
    3⤵
    PID:1580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB2"
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB2"
    3⤵
    PID:6136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB3"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB3"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB4"
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB4"
    3⤵
    PID:4660
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB5"
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB5"
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB6"
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB6"
    3⤵
    PID:5172
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB7"
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB7"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB8"
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB8"
    3⤵
    PID:4236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB9"
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB9"
    3⤵
    PID:4452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB10"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB10"
    3⤵
    PID:5788
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB11"
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB11"
    3⤵
    PID:5716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB12"
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB12"
    3⤵
    PID:4552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB13"
  2⤵
  PID:820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB13"
    3⤵
    PID:4684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB14"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB14"
    3⤵
    PID:5784
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB15"
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB15"
    3⤵
    PID:3992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB16"
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB16"
    3⤵
    PID:2776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB17"
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB17"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB18"
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB18"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB19"
  2⤵
  PID:2416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB19"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB20"
  2⤵
  PID:5544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB20"
    3⤵
    PID:3996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB21"
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB21"
    3⤵
    PID:1880
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB22"
  2⤵
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB22"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB23"
  2⤵
  PID:680
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB23"
    3⤵
    PID:4020
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB24"
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB24"
    3⤵
    PID:5240
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB25"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB25"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2708"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2708"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2708"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1152"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1152"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1152"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2844"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2844"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2844"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5804"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5804"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5152
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5804"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1160"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1160"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1160"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2548"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2548"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2548"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3588"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3588"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3588"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5164
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2748"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2748"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2748"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2040"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2040"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2040"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3920"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3920"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3920"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5336
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2364"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2364"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2364"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4060"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4060"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4552
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4060"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1772"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1772"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1772"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1688"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1688"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1688"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5844
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1916"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1916"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1916"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3356"
  2⤵
  - Kills process with taskkill
  PID:5428
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3356"
  2⤵
  PID:3772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3356"
  2⤵
  - Kills process with taskkill
  PID:5756
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  - Kills process with taskkill
  PID:5160
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5188
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2432"
  2⤵
  PID:3324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:60
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  - Kills process with taskkill
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  PID:3244
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2052"
  2⤵
  - Kills process with taskkill
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5552"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5552"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:544
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5552"
  2⤵
  - Kills process with taskkill
  PID:3588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2716"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2716"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2716"
  2⤵
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5760"
  2⤵
  - Kills process with taskkill
  PID:3232
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5760"
  2⤵
  - Kills process with taskkill
  PID:4388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5760"
  2⤵
  - Kills process with taskkill
  PID:4924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2908"
  2⤵
  - Kills process with taskkill
  PID:5824
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5556"
  2⤵
  - Kills process with taskkill
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5556"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4540
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5556"
  2⤵
  PID:4624
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1112"
  2⤵
  - Kills process with taskkill
  PID:6136
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1112"
  2⤵
  - Kills process with taskkill
  PID:1140
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1112"
  2⤵
  - Kills process with taskkill
  PID:5828
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5336"
  2⤵
  - Kills process with taskkill
  PID:412
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5336"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5776
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5336"
  2⤵
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  PID:6116
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  - Kills process with taskkill
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3124"
  2⤵
  - Kills process with taskkill
  PID:5748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3124"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3124
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3124"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:536
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  - Kills process with taskkill
  PID:636
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  PID:612
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  PID:3352
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1564"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1564"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3480
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1564"
  2⤵
  - Kills process with taskkill
  PID:3752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2560"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2248"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2248"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2248"
  2⤵
  - Kills process with taskkill
  PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3096"
  2⤵
  - Kills process with taskkill
  PID:228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3096"
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3356
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3096"
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2416"
  2⤵
  PID:5864
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2416"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2416"
  2⤵
  - Kills process with taskkill
  PID:3772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:224
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5544"
  2⤵
  - Kills process with taskkill
  PID:3644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5544"
  2⤵
  - Kills process with taskkill
  PID:1600
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5544"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5580
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4648"
  2⤵
  PID:5512
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4648"
  2⤵
  PID:3244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4648"
  2⤵
  PID:3532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3772"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3772"
  2⤵
  - Kills process with taskkill
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "3772"
  2⤵
  PID:3588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5580"
  2⤵
  PID:1856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5580"
  2⤵
  - Kills process with taskkill
  PID:4028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5580"
  2⤵
  PID:5596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5164

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\read_me_lkd.txt

Filesize
902B

MD5
b0b13b5db3224cdbc0c6e3422e442cff

SHA1
14afcdad871b460fde1b0dfe239b982d67cd5d1c

SHA256
168c0d06834b7cb7543c85cafa8143485f4a4d3f6730bd7585999c220287e4f5

SHA512
58ca8cd1ae64e063df2ce52350a81e4bd8a45cc2f484fd9674f0021567afa6ba571ed8757fce333e30eb8bf49ae5e22c2c0cb26c41b00e401c1a6c62b8bdaadb

Download Submit