medusaransomware | 3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
Size

624KB
MD5

a6980e543efa40771ed1dcf84b29d732
SHA1

6586b2155afa5d7cda5cd3f8a7af37c4fe126a1d
SHA256

3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
SHA512

d1ca8724c8879442907b7e45b59b954100ada37e036aa17496920a9783eb0738ff51831854acc8cafd805c116bfea47a903270fec74949f10b36eddf971ac06f
SSDEEP

12288:/ktG6SXJb0DdQ0k0HGzZbkh0wchQ5HYaIhadnR/t256S5AA2Ltyaxn1gUEEkfTSX:kS9JmVSvGWEAng/qwnYPRslWPLu1

Score

10^/10

medusaransomware credential_access discovery persistence ransomware spyware stealer

Malware Config

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Medusaransomware family
medusaransomware
Renames multiple (8853) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-200_contrast-black.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\NativePurchaseControl.xaml	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.ps1	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-150.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.7a43ec75.pri	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.winmd	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppWord32x32.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-100.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_In_App_Notification.m4a	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-200.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\resources.pri	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstal.exe.mui	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-100.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-150.png	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8456	508	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8536	cmd.exe
8400	PING.EXE

Kills process with taskkill 44 IoCs

defense_evasion

pid	Process
5448	taskkill.exe
6176	taskkill.exe
6560	taskkill.exe
6844	taskkill.exe
6960	taskkill.exe
5396	taskkill.exe
5628	taskkill.exe
5808	taskkill.exe
5256	taskkill.exe
5320	taskkill.exe
6136	taskkill.exe
5640	taskkill.exe
6736	taskkill.exe
5836	taskkill.exe
6076	taskkill.exe
5920	taskkill.exe
5796	taskkill.exe
5160	taskkill.exe
5212	taskkill.exe
5416	taskkill.exe
6680	taskkill.exe
5216	taskkill.exe
6624	taskkill.exe
6900	taskkill.exe
5752	taskkill.exe
5188	taskkill.exe
5936	taskkill.exe
6340	taskkill.exe
6448	taskkill.exe
6508	taskkill.exe
7068	taskkill.exe
5532	taskkill.exe
6272	taskkill.exe
6392	taskkill.exe
6120	taskkill.exe
5600	taskkill.exe
5260	taskkill.exe
6100	taskkill.exe
6040	taskkill.exe
5316	taskkill.exe
6792	taskkill.exe
7016	taskkill.exe
7124	taskkill.exe
6012	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{A831B08B-93F6-44E5-B16C-8E498F6C946B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8400	PING.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	6012	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	5532	taskkill.exe
Token: SeDebugPrivilege	5836	taskkill.exe
Token: SeDebugPrivilege	5188	taskkill.exe
Token: SeDebugPrivilege	5160	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	5600	taskkill.exe
Token: SeDebugPrivilege	5796	taskkill.exe
Token: SeDebugPrivilege	6100	taskkill.exe
Token: SeDebugPrivilege	5212	taskkill.exe
Token: SeDebugPrivilege	5628	taskkill.exe
Token: SeDebugPrivilege	5808	taskkill.exe
Token: SeDebugPrivilege	6040	taskkill.exe
Token: SeDebugPrivilege	5416	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	5448	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	5936	taskkill.exe
Token: SeDebugPrivilege	5316	taskkill.exe
Token: SeDebugPrivilege	6136	taskkill.exe
Token: SeDebugPrivilege	5640	taskkill.exe
Token: SeDebugPrivilege	6176	taskkill.exe
Token: SeDebugPrivilege	6272	taskkill.exe
Token: SeDebugPrivilege	6340	taskkill.exe
Token: SeDebugPrivilege	6392	taskkill.exe
Token: SeDebugPrivilege	6448	taskkill.exe
Token: SeDebugPrivilege	6508	taskkill.exe
Token: SeDebugPrivilege	6560	taskkill.exe
Token: SeDebugPrivilege	6624	taskkill.exe
Token: SeDebugPrivilege	6680	taskkill.exe
Token: SeDebugPrivilege	6736	taskkill.exe
Token: SeDebugPrivilege	6792	taskkill.exe
Token: SeDebugPrivilege	6844	taskkill.exe
Token: SeDebugPrivilege	6900	taskkill.exe
Token: SeDebugPrivilege	6960	taskkill.exe
Token: SeDebugPrivilege	7016	taskkill.exe
Token: SeDebugPrivilege	7068	taskkill.exe
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe
2900	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 4656	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 508 wrote to memory of 4656	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 508 wrote to memory of 4656	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 4656 wrote to memory of 4620	4656	net.exe	85
PID 4656 wrote to memory of 4620	4656	net.exe	85
PID 4656 wrote to memory of 4620	4656	net.exe	85
PID 508 wrote to memory of 1700	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 508 wrote to memory of 1700	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 508 wrote to memory of 1700	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 1700 wrote to memory of 1728	1700	net.exe	88
PID 1700 wrote to memory of 1728	1700	net.exe	88
PID 1700 wrote to memory of 1728	1700	net.exe	88
PID 508 wrote to memory of 388	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 508 wrote to memory of 388	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 508 wrote to memory of 388	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 388 wrote to memory of 4076	388	net.exe	91
PID 388 wrote to memory of 4076	388	net.exe	91
PID 388 wrote to memory of 4076	388	net.exe	91
PID 508 wrote to memory of 3088	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 508 wrote to memory of 3088	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 508 wrote to memory of 3088	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 3088 wrote to memory of 1484	3088	net.exe	94
PID 3088 wrote to memory of 1484	3088	net.exe	94
PID 3088 wrote to memory of 1484	3088	net.exe	94
PID 508 wrote to memory of 2568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 508 wrote to memory of 2568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 508 wrote to memory of 2568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 2568 wrote to memory of 216	2568	net.exe	97
PID 2568 wrote to memory of 216	2568	net.exe	97
PID 2568 wrote to memory of 216	2568	net.exe	97
PID 508 wrote to memory of 1224	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 508 wrote to memory of 1224	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 508 wrote to memory of 1224	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 1224 wrote to memory of 1404	1224	net.exe	100
PID 1224 wrote to memory of 1404	1224	net.exe	100
PID 1224 wrote to memory of 1404	1224	net.exe	100
PID 508 wrote to memory of 1348	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 508 wrote to memory of 1348	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 508 wrote to memory of 1348	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 1348 wrote to memory of 1792	1348	net.exe	103
PID 1348 wrote to memory of 1792	1348	net.exe	103
PID 1348 wrote to memory of 1792	1348	net.exe	103
PID 508 wrote to memory of 1344	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 508 wrote to memory of 1344	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 508 wrote to memory of 1344	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 1344 wrote to memory of 2424	1344	net.exe	106
PID 1344 wrote to memory of 2424	1344	net.exe	106
PID 1344 wrote to memory of 2424	1344	net.exe	106
PID 508 wrote to memory of 636	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 508 wrote to memory of 636	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 508 wrote to memory of 636	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 636 wrote to memory of 2004	636	net.exe	109
PID 636 wrote to memory of 2004	636	net.exe	109
PID 636 wrote to memory of 2004	636	net.exe	109
PID 508 wrote to memory of 2428	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 508 wrote to memory of 2428	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 508 wrote to memory of 2428	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 2428 wrote to memory of 1752	2428	net.exe	112
PID 2428 wrote to memory of 1752	2428	net.exe	112
PID 2428 wrote to memory of 1752	2428	net.exe	112
PID 508 wrote to memory of 1568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 508 wrote to memory of 1568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 508 wrote to memory of 1568	508	2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 1568 wrote to memory of 2812	1568	net.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:4620
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:1728
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    PID:4076
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    PID:1484
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:216
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:1404
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:1792
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:2812
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:4048
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:2648
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:2156
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    PID:3528
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    PID:2276
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:3176
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:4904
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    PID:8
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:2052
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:3016
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    PID:4860
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  PID:880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:4320
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:3084
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    PID:2708
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    PID:664
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:4368
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:4636
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    PID:2712
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:5016
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:2968
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:1160
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:3156
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    PID:3576
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:3204
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:4964
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    PID:2980
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:2796
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    PID:5068
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:4136
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:4972
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1076
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:3372
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:2264
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    PID:408
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4440
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:2020
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    PID:4720
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:3944
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:3024
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:3432
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    PID:3956
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:4612
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:804
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    PID:3896
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:4152
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:3180
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:3056
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:316
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:1156
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    PID:1444
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:3748
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4616
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:4992
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:4828
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  PID:32
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:3968
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:3200
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:1320
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    PID:1620
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    PID:3616
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    PID:3032
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:1968
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    PID:4432
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:1996
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:3664
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    PID:3856
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:4572
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:3480
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    PID:4796
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:2688
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    PID:816
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:2960
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:3972
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:4816
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    PID:548
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2940
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:536
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:3036
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:2396
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:4012
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:228
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:4396
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:2932
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:4332
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:4832
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:1856
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:1012
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:4868
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:4596
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:3584
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:1168
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:960
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:640
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:4404
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:3892
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:1612
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:848
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:1848
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:4100
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:4500
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:372
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:936
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:2956
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:2232
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:2132
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:4508
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:3624
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:808
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3888
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    PID:5176
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5236
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    PID:5348
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    PID:5408
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    PID:5464
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:5528
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:5592
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5656
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:5720
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5784
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:5848
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:5912
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5976
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6036
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:6104
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    PID:5204
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:5352
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    PID:5404
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    PID:5496
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5576
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:5716
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:5764
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:5908
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:6048
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    PID:6088
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:6132
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  PID:5268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5228
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:5356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    PID:5332
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:5540
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:5556
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:5812
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:5924
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:5988
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    PID:5172
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    PID:5156
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5412
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:5492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:5580
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    PID:5616
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:6044
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:6116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8536
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:8400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 308
  2⤵
  - Program crash
  PID:8456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 508 -ip 508
1⤵
PID:8380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini

Filesize
488B

MD5
d8459d25d52f3870c47e7805339bb63e

SHA1
4315ee2d466ac70958d4152a2b4e1c9c1e3f7f31

SHA256
80b4d13192b26ba6ce8c065f990c9c4c60f917aa26e9237b401fec99c3fd002b

SHA512
4a1a740937d9f1d1cd661b1cafef2c3a5588723daeb99befb09b73756cadec95259a3494d0a5281f79fba41f9dd97891d0dce8685dd9c2b2cbaee89e375b38e4

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

Filesize
623KB

MD5
3a5b1c9c63f1262649234a788b256830

SHA1
e9b768342d737169fb78fdbacdeb02ddc6677264

SHA256
11b7a1023ae28eb328a1e852461705310bfdde06ac7d8ea7fa53a673dbdd0bc8

SHA512
569b37db8c5b1ae067957465b2f5c0c1ab554f393970ba7311bfe9072e71c6d81b1d7416095554e4c6fe2a8ca3a0ce0a2529a857ad202b3ff975ed72c12e7973

Download Submit
F:\!!!READ_ME_MEDUSA!!!.txt

Filesize
3KB

MD5
5403d641e60c7d266a7070be82dba163

SHA1
4362f925483128ee3fc65d1612309c0475b5cd59

SHA256
b60a2235cf8d69a222692ac19230be187e062ab208dbe7ff24027ef47ce0634d

SHA512
a013d8462fe8e039150356ef9773b20114d6ae21d21331bb05db200710f1d3b699234ce51cbade7f3caeec577f520cdcc145d149bebdb552e0ebd90fcc41147d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads