Malware Analysis Report

2024-12-07 17:08

Sample ID 241001-r243eayeqe
Target 20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike
SHA256 6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
Tags
medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de

Threat Level: Known bad

The file 20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike was found to be: Known bad.

Malicious Activity Summary

medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence

Medusa Ransomware

Renames multiple (8812) files with added filename extension

Renames multiple (8777) files with added filename extension

Deletes shadow copies

Boot or Logon Autostart Execution: Active Setup

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

Enumerates connected drives

Network Share Discovery

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Browser Information Discovery

Runs ping.exe

Interacts with shadow copies

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 14:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 14:42

Reported

2024-10-01 14:44

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8777) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7CO3PKGI\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQBL5G2Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\63WZ73PY\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7en.kic C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLACCT.DLL C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Common Files\System\MSMAPI\1033\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00942_.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBAD.XML C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\EXPLODE.WAV C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2768 wrote to memory of 2764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 2764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 2764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 2764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2676 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2584 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2576 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2532 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 4000

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

Network

N/A

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 059811161d1eb0b9c131d4ca58fb273e
SHA1 137cda40b70978a85f34afcd3e8deac116cfe460
SHA256 e2cfaba956d1da00e2f2ab03474876e7d88e5b746c5c38932af32d6abe85d90b
SHA512 73770f346044da39220bbc0c47e271562d394f14b54f30391af15f09df9d7b0a90adcc06745a5b3681c182ec1db03998cbb6d1f100e81626eae87cddd6097fdd

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini

MD5 9af2c0c594a70e33c4bb315c19179751
SHA1 5731a419f01129f06a8d22d9ff17b7dd3d72fbd8
SHA256 aaa68de1e91a6b827dda97aa86ecfce6d28d2b96606dc903465bc203068026bb
SHA512 b9160810c1f030bafe7cf8841199f5956b9e827b486173a9a2b4187450818f697391d147dae3914c03c673aac2cc25ca013477b39a6fe74773ab3b368f938014

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 14:42

Reported

2024-10-01 14:44

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Renames multiple (8812) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-125.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\1.jpg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\SolitaireLiveTileUpdater.winmd C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\applet\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericIntl-1.jpg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Google\Temp\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hi.pak.DATA C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\RangeSelector.xbf C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_18.svg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{B5613F07-2B3D-4B45-81AE-76D35AF232FF} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3792 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3792 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3792 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1108 wrote to memory of 4964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1108 wrote to memory of 4964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1108 wrote to memory of 4964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4324 wrote to memory of 820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4324 wrote to memory of 820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4324 wrote to memory of 820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1136 wrote to memory of 1380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1136 wrote to memory of 1380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1136 wrote to memory of 1380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 552 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 552 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 552 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4888 wrote to memory of 4908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4888 wrote to memory of 4908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4888 wrote to memory of 4908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2360 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2360 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2360 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4052 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4052 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1196 wrote to memory of 3932 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\20241001602d720f1184d2ad739568cbf6403331avoslockercobaltstrike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4052 -ip 4052

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 059811161d1eb0b9c131d4ca58fb273e
SHA1 137cda40b70978a85f34afcd3e8deac116cfe460
SHA256 e2cfaba956d1da00e2f2ab03474876e7d88e5b746c5c38932af32d6abe85d90b
SHA512 73770f346044da39220bbc0c47e271562d394f14b54f30391af15f09df9d7b0a90adcc06745a5b3681c182ec1db03998cbb6d1f100e81626eae87cddd6097fdd

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini

MD5 7e7ea0223350b00f64c41144974bbe90
SHA1 282cec4a5ad986c746ff7524628010b5fd68be21
SHA256 10ae91733f28b637a99126f7e21290802a79a2a03295e41751b8a515b0b3b8f8
SHA512 57924dee051777ff034d10e54851bb960f06bb66a30e6d58244ce597d2c5f1006d15fbf007178f592e9216e47d915d5f831546c3949b905eca38bd91a49d61dd

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

MD5 2fb5d14ee7ea7b1688e9e21ab5be7504
SHA1 bf3d80cdc7ce3503a70159e17ec4089b114253a8
SHA256 720d90a6476d9b410cb46c6910c819bb3e5caaab1cee0b905991bd27acfb02bd
SHA512 734ce564e1ed341e16304cfedd87298354e59e584d657de403fbb2c81bfbad0b7e1f2b5d5f14acaf36870f33d8b0e4dee88b4b0be1978ab25166df8d87dd46f4