medusaransomware | 6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de

Analysis

max time kernel
96s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
Size

624KB
MD5

602d720f1184d2ad739568cbf6403331
SHA1

c5f349be3ed0591acbe52160cb6bf5acbfbfb91f
SHA256

6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
SHA512

9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653
SSDEEP

12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ

Score

10^/10

medusaransomware credential_access discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

F:\!!!READ_ME_MEDUSA!!!.txt

Ransom Note

$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, EFI !!! ]-------------------------- Sorry to interrupt your busy business. WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. We have penetrated your entire network and researched all about your data. And we have copied terabytes of all your confidential data and uploaded to private storage. * You're running a highly valued business and your data was very crucial. 2. We have ENCRYPTED your files. While you are reading this message, it means your files and data has been ENCRYPTED by world's strongest ransomware. Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files. But don't worry, we can decrypt your files. There is only one possible way to get back your computers and servers, keep your privacy safe - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs. This MEDUSA DECRYPTOR will restore your entire network within less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post all of your critial data to the public and send emails to your competitors. We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us. You can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and make everything silent, this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- We will speak only with an authorized person. It can be the CEO, top management etc. In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! If you do not contact us within 48 hours, We will start publish your case to our official blog and everybody will start notice your incident! --------------------[ Telegram channel ]-------------------- https://t.me/+yXOcSjVjI9tjM2E0 --------------------[ Official blog tor address ]-------------------- Using TOR Browser(https://www.torproject.org/download/): http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/ http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/ CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser(https://www.torproject.org/download/): http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c Backup Mirrors: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c --------------------[ Or Use Tox Chat Program(https://utox.org/uTox_win64.exe) ]-------------------- Add user with our tox ID : 061AA6BDE8F6DE6C92F0D6E077359BF6911FCAF80030E82B3A3DB65E63C8011343D34F956FEC Our support email: ( [email protected] ) Company identification hash: da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b

Emails

[email protected]

URLs

https://t.me/+yXOcSjVjI9tjM2E0

http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/

http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/

http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c

http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Renames multiple (8812) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-125.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-125.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\SolitaireLiveTileUpdater.winmd	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\applet\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericIntl-1.jpg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_contrast-black.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-150.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-200.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-200.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files (x86)\Google\Temp\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-400.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hi.pak.DATA	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16_altform-unplated.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-60_altform-unplated_contrast-black.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\RangeSelector.xbf	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36_altform-unplated.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_18.svg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-125_contrast-white.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\!!!READ_ME_MEDUSA!!!.txt	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-400.png	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	4052	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7364	cmd.exe
6436	PING.EXE

Kills process with taskkill 44 IoCs

evasion

pid	Process
5644	taskkill.exe
5176	taskkill.exe
5172	taskkill.exe
6132	taskkill.exe
5568	taskkill.exe
5528	taskkill.exe
5888	taskkill.exe
6060	taskkill.exe
6400	taskkill.exe
6512	taskkill.exe
5976	taskkill.exe
5552	taskkill.exe
5420	taskkill.exe
6008	taskkill.exe
6288	taskkill.exe
6092	taskkill.exe
5856	taskkill.exe
5852	taskkill.exe
6076	taskkill.exe
5188	taskkill.exe
5580	taskkill.exe
6456	taskkill.exe
5816	taskkill.exe
6072	taskkill.exe
5704	taskkill.exe
5272	taskkill.exe
6224	taskkill.exe
6348	taskkill.exe
5180	taskkill.exe
5184	taskkill.exe
5640	taskkill.exe
5904	taskkill.exe
5752	taskkill.exe
6160	taskkill.exe
5288	taskkill.exe
5424	taskkill.exe
5512	taskkill.exe
5880	taskkill.exe
5596	taskkill.exe
5772	taskkill.exe
6012	taskkill.exe
5740	taskkill.exe
5160	taskkill.exe
5656	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{B5613F07-2B3D-4B45-81AE-76D35AF232FF}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6436	PING.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	5816	taskkill.exe
Token: SeDebugPrivilege	5976	taskkill.exe
Token: SeDebugPrivilege	6072	taskkill.exe
Token: SeDebugPrivilege	5180	taskkill.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeDebugPrivilege	5424	taskkill.exe
Token: SeDebugPrivilege	5528	taskkill.exe
Token: SeDebugPrivilege	5552	taskkill.exe
Token: SeDebugPrivilege	5644	taskkill.exe
Token: SeDebugPrivilege	5704	taskkill.exe
Token: SeDebugPrivilege	5888	taskkill.exe
Token: SeDebugPrivilege	6092	taskkill.exe
Token: SeDebugPrivilege	5184	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	5640	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	5904	taskkill.exe
Token: SeDebugPrivilege	5176	taskkill.exe
Token: SeDebugPrivilege	5420	taskkill.exe
Token: SeDebugPrivilege	5856	taskkill.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	5172	taskkill.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	6012	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	5160	taskkill.exe
Token: SeDebugPrivilege	5188	taskkill.exe
Token: SeDebugPrivilege	5656	taskkill.exe
Token: SeDebugPrivilege	6008	taskkill.exe
Token: SeDebugPrivilege	6060	taskkill.exe
Token: SeDebugPrivilege	6132	taskkill.exe
Token: SeDebugPrivilege	5568	taskkill.exe
Token: SeDebugPrivilege	5580	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	5880	taskkill.exe
Token: SeDebugPrivilege	6160	taskkill.exe
Token: SeDebugPrivilege	6224	taskkill.exe
Token: SeDebugPrivilege	6288	taskkill.exe
Token: SeDebugPrivilege	6348	taskkill.exe
Token: SeDebugPrivilege	6400	taskkill.exe
Token: SeDebugPrivilege	6456	taskkill.exe
Token: SeDebugPrivilege	6512	taskkill.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe
Token: SeShutdownPrivilege	6328	explorer.exe
Token: SeCreatePagefilePrivilege	6328	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe
6328	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3792	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	85
PID 4052 wrote to memory of 3792	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	85
PID 4052 wrote to memory of 3792	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	85
PID 3792 wrote to memory of 2644	3792	net.exe	87
PID 3792 wrote to memory of 2644	3792	net.exe	87
PID 3792 wrote to memory of 2644	3792	net.exe	87
PID 4052 wrote to memory of 1108	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	88
PID 4052 wrote to memory of 1108	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	88
PID 4052 wrote to memory of 1108	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	88
PID 1108 wrote to memory of 4964	1108	net.exe	90
PID 1108 wrote to memory of 4964	1108	net.exe	90
PID 1108 wrote to memory of 4964	1108	net.exe	90
PID 4052 wrote to memory of 4324	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	91
PID 4052 wrote to memory of 4324	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	91
PID 4052 wrote to memory of 4324	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	91
PID 4324 wrote to memory of 820	4324	net.exe	93
PID 4324 wrote to memory of 820	4324	net.exe	93
PID 4324 wrote to memory of 820	4324	net.exe	93
PID 4052 wrote to memory of 1136	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	94
PID 4052 wrote to memory of 1136	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	94
PID 4052 wrote to memory of 1136	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	94
PID 1136 wrote to memory of 1380	1136	net.exe	96
PID 1136 wrote to memory of 1380	1136	net.exe	96
PID 1136 wrote to memory of 1380	1136	net.exe	96
PID 4052 wrote to memory of 2416	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	97
PID 4052 wrote to memory of 2416	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	97
PID 4052 wrote to memory of 2416	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	97
PID 2416 wrote to memory of 4468	2416	net.exe	99
PID 2416 wrote to memory of 4468	2416	net.exe	99
PID 2416 wrote to memory of 4468	2416	net.exe	99
PID 4052 wrote to memory of 3040	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	100
PID 4052 wrote to memory of 3040	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	100
PID 4052 wrote to memory of 3040	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	100
PID 3040 wrote to memory of 924	3040	net.exe	102
PID 3040 wrote to memory of 924	3040	net.exe	102
PID 3040 wrote to memory of 924	3040	net.exe	102
PID 4052 wrote to memory of 552	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	103
PID 4052 wrote to memory of 552	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	103
PID 4052 wrote to memory of 552	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	103
PID 552 wrote to memory of 1532	552	net.exe	105
PID 552 wrote to memory of 1532	552	net.exe	105
PID 552 wrote to memory of 1532	552	net.exe	105
PID 4052 wrote to memory of 4760	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	106
PID 4052 wrote to memory of 4760	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	106
PID 4052 wrote to memory of 4760	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	106
PID 4760 wrote to memory of 2876	4760	net.exe	108
PID 4760 wrote to memory of 2876	4760	net.exe	108
PID 4760 wrote to memory of 2876	4760	net.exe	108
PID 4052 wrote to memory of 4888	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	109
PID 4052 wrote to memory of 4888	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	109
PID 4052 wrote to memory of 4888	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	109
PID 4888 wrote to memory of 4908	4888	net.exe	111
PID 4888 wrote to memory of 4908	4888	net.exe	111
PID 4888 wrote to memory of 4908	4888	net.exe	111
PID 4052 wrote to memory of 2360	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	112
PID 4052 wrote to memory of 2360	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	112
PID 4052 wrote to memory of 2360	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	112
PID 2360 wrote to memory of 3240	2360	net.exe	114
PID 2360 wrote to memory of 3240	2360	net.exe	114
PID 2360 wrote to memory of 3240	2360	net.exe	114
PID 4052 wrote to memory of 1196	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	115
PID 4052 wrote to memory of 1196	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	115
PID 4052 wrote to memory of 1196	4052	20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe	115
PID 1196 wrote to memory of 3932	1196	net.exe	117

C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:2644
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:4964
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:1380
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:4468
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:924
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:1532
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:2876
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:4908
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:3240
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:3932
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:2328
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:5076
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:2100
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:3288
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:1732
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    PID:3708
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:4772
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:2368
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:5004
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:3704
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:4700
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:4352
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    PID:4848
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:1796
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:464
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    PID:2512
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:5092
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:2648
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    PID:2112
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:1700
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:3452
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:3472
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:1672
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    PID:3664
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:4308
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    PID:5060
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:3532
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:3388
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:1936
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:1916
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:5052
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    PID:396
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:4356
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:3332
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    PID:1208
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:2260
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:1100
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  PID:512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:3204
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:2500
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3524
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:3528
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:5096
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    PID:4836
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:2144
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:2208
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    PID:4244
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:3636
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    PID:3920
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:4092
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:2968
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:4540
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    PID:5084
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:3296
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:400
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:4892
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:4844
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:1896
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:1360
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:2900
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:3100
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:3464
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:3764
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:2844
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4172
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:4504
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:4920
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:3228
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:1368
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:1920
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:4296
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:3328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:4884
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    PID:544
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:3900
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:116
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:3360
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:680
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  PID:232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:1296
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:2380
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:316
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:4036
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:736
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:1812
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:3000
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:2216
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    PID:2096
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:760
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:4272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:3184
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:4472
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:3268
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    PID:2572
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:3980
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:4652
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:1020
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:1332
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:4828
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:2484
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:1660
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    PID:852
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:4392
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:1180
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:2552
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:2748
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:528
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:452
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:3616
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:3292
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    PID:2324
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:4144
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:3744
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  PID:3728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3576
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    PID:4840
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    PID:5064
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  PID:5136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:5196
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:5264
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:5280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:5328
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:5392
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:5456
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:5520
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:5584
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5648
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:5664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    PID:5716
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:5780
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:5796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5844
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    PID:5908
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:5968
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6088
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  PID:6104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:5128
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:5192
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:5260
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:5312
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5428
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    PID:5532
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:5576
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:5636
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:5672
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:5808
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:5820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:5884
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:5956
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:6052
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:2464
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:6136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5200
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:4744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    PID:5228
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5400
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:5524
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:5588
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:5508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:5660
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:5848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5180
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5172
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7364
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 364
  2⤵
  - Program crash
  PID:2116

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4052 -ip 4052
1⤵
PID:7380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini

Filesize
488B

MD5
7e7ea0223350b00f64c41144974bbe90

SHA1
282cec4a5ad986c746ff7524628010b5fd68be21

SHA256
10ae91733f28b637a99126f7e21290802a79a2a03295e41751b8a515b0b3b8f8

SHA512
57924dee051777ff034d10e54851bb960f06bb66a30e6d58244ce597d2c5f1006d15fbf007178f592e9216e47d915d5f831546c3949b905eca38bd91a49d61dd

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

Filesize
623KB

MD5
2fb5d14ee7ea7b1688e9e21ab5be7504

SHA1
bf3d80cdc7ce3503a70159e17ec4089b114253a8

SHA256
720d90a6476d9b410cb46c6910c819bb3e5caaab1cee0b905991bd27acfb02bd

SHA512
734ce564e1ed341e16304cfedd87298354e59e584d657de403fbb2c81bfbad0b7e1f2b5d5f14acaf36870f33d8b0e4dee88b4b0be1978ab25166df8d87dd46f4

Download Submit
F:\!!!READ_ME_MEDUSA!!!.txt

Filesize
3KB

MD5
059811161d1eb0b9c131d4ca58fb273e

SHA1
137cda40b70978a85f34afcd3e8deac116cfe460

SHA256
e2cfaba956d1da00e2f2ab03474876e7d88e5b746c5c38932af32d6abe85d90b

SHA512
73770f346044da39220bbc0c47e271562d394f14b54f30391af15f09df9d7b0a90adcc06745a5b3681c182ec1db03998cbb6d1f100e81626eae87cddd6097fdd

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads