Malware Analysis Report

2024-12-07 17:08

Sample ID 241002-lwyesazdmk
Target 2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike
SHA256 91a3b832564a9b29685b393c8bda9925a7da87fd3958625980da06f80f76109d
Tags
medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91a3b832564a9b29685b393c8bda9925a7da87fd3958625980da06f80f76109d

Threat Level: Known bad

The file 2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike was found to be: Known bad.

Malicious Activity Summary

medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence

Medusa Ransomware

Deletes shadow copies

Renames multiple (8853) files with added filename extension

Renames multiple (8824) files with added filename extension

Boot or Logon Autostart Execution: Active Setup

Reads user/profile data of web browsers

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

Network Share Discovery

Enumerates connected drives

Drops file in Program Files directory

Program crash

Unsigned PE

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Runs ping.exe

Suspicious use of SendNotifyMessage

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Interacts with shadow copies

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 09:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 09:53

Reported

2024-10-02 09:56

Platform

win7-20240903-en

Max time kernel

38s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8824) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02368_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSAEXP30.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EAWFINTL.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE.HXS C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\MSBuild\Microsoft\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2672 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2744 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2744 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2744 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2744 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2876 wrote to memory of 2440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2876 wrote to memory of 2440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2876 wrote to memory of 2440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2876 wrote to memory of 2440 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2712 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2712 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2712 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2712 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2596 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2596 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 880 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2992 wrote to memory of 1844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 1844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 1844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 1844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 164

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

Network

N/A

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 ae2ccfb68aaf040e01ec2280b75c4d49
SHA1 6dd072344d5159e751451ba24624a1e2adbe6e07
SHA256 beff87729e2c44475014eb1efd72bb128b33a9b22309339c2332e3f718e8c4cd
SHA512 69dc9b2ff371a8f49b2d236e81bcaba33df55d5e96f262b16a2de170c88832fbd8696f00e39ef5ee0d8ee85e988abc2b80b3901a773d9161f0d9dc525f5f1618

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

MD5 1284ec912f61fdcedebd95074d515966
SHA1 38a0ecae851897eea27ecfcf5ce29f058855efd2
SHA256 dfe7946adaeaaea0461095f4cdd1f8ae270dd4a0a6351290fd8d2d107e3068bc
SHA512 4b6672f921be85e13a9832b4179590d4ba667bd578f761215a55d740d33b6221e4d3568b89fa46c3dae26ff2a50118387a6489eace45b77aaec4c5faf073c342

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 09:53

Reported

2024-10-02 09:56

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Renames multiple (8853) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v1.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\Simple.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymb.ttf C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xee27.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{9F06BF64-6C01-4271-A290-406D6544EEB5} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3688 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3688 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3688 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2728 wrote to memory of 4688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 4688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 4688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 4848 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4848 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4848 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3708 wrote to memory of 4608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3708 wrote to memory of 4608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3708 wrote to memory of 4608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 1348 wrote to memory of 1132 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1348 wrote to memory of 1132 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1348 wrote to memory of 1132 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2856 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2856 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2856 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 1960 wrote to memory of 4116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 4116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 4116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 5116 wrote to memory of 3600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5116 wrote to memory of 3600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5116 wrote to memory of 3600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1104 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2444 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 2444 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe C:\Windows\SysWOW64\net.exe
PID 3956 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2024-10-02_ec5b1a6de3564c26c4e0e804e6bc2ecb_avoslocker_cobalt-strike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2444 -ip 2444

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 ae2ccfb68aaf040e01ec2280b75c4d49
SHA1 6dd072344d5159e751451ba24624a1e2adbe6e07
SHA256 beff87729e2c44475014eb1efd72bb128b33a9b22309339c2332e3f718e8c4cd
SHA512 69dc9b2ff371a8f49b2d236e81bcaba33df55d5e96f262b16a2de170c88832fbd8696f00e39ef5ee0d8ee85e988abc2b80b3901a773d9161f0d9dc525f5f1618

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini

MD5 a15fb2a3f32cba3359140be653f60259
SHA1 5279c63a26a9e496cddf7a6d8970cca13cbebab9
SHA256 942c9a5f186c926ad67b51470f129b1544d3186edd05bcab5e8e021965926771
SHA512 4f1c7a5e17d86830612824cbb23d33ba7cd64bd8c6ad41faed952aa1ae4237e86a3b5d9c6f47dfc21b692dd36a5302bb759226226b0c214b53978750b025e170

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

MD5 62da2fecc71beba6220fa3d6ed263b28
SHA1 be9e267a208b1631623f6404831ca4b3fcc15241
SHA256 efe8cd611126ab7651589e8d7459792585e9b05d5571049bce9478372fbf5df0
SHA512 d3cccca0f419114649c506fbd241ee92c8869065c76d3f7cbcb1fda93835da3d506529597b1b21ed91911022f2c53d72afc281fe230c76abff9235e678e53dd6