medusaransomware | df0f05469702bd70c49045dcbbefc65e735f4116bdb12526cd16110472a51dc8

Analysis

max time kernel
94s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
Size

624KB
MD5

bdf6ac02664baea655b103d50bdfd6ec
SHA1

6613e813d28527f905e23ead7ed66c43d85f5894
SHA256

df0f05469702bd70c49045dcbbefc65e735f4116bdb12526cd16110472a51dc8
SHA512

c1fd604fbb20b8950d2b9e05fa1c3329c3c13684002750a3ec67c2ac15ce22f52a4296afb962140d057b1e340afc01174a0d7bfa298d57259f01c6fb908ea1bc
SSDEEP

12288:mS926SXIb0z9GjskXErHDoBEA8xQJfIGIB6SKYvd+JCexsE2Nts6hElgE0sFwEjV:9nhAJkJmVSvGWEc3v/KwkoaRshWP3et5

Score

10^/10

medusaransomware credential_access discovery persistence ransomware spyware stealer

Malware Config

Signatures

Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
ransomware medusaransomware
Medusaransomware family
medusaransomware
Renames multiple (8904) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Microsoft\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\193.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-lightunplated.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\xboxservices.config	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-40_contrast-black.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-black.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\ui-strings.js	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\Square310x310Logo.scale-125.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-100_contrast-white.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-100.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_contrast-black.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinStickyNotes.xml	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\MsaAuthenticatorView.xaml	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\194.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\!!!READ_ME_MEDUSA!!!.txt	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxManifest.xml	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6764	2620	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5928	cmd.exe
5192	PING.EXE

Kills process with taskkill 44 IoCs

defense_evasion

pid	Process
5480	taskkill.exe
6156	taskkill.exe
6464	taskkill.exe
6248	taskkill.exe
6048	taskkill.exe
5840	taskkill.exe
6280	taskkill.exe
6340	taskkill.exe
6120	taskkill.exe
6756	taskkill.exe
5156	taskkill.exe
5668	taskkill.exe
5964	taskkill.exe
5256	taskkill.exe
6000	taskkill.exe
5900	taskkill.exe
4532	taskkill.exe
5952	taskkill.exe
6064	taskkill.exe
5276	taskkill.exe
5456	taskkill.exe
6216	taskkill.exe
7092	taskkill.exe
5884	taskkill.exe
5920	taskkill.exe
6524	taskkill.exe
6580	taskkill.exe
6912	taskkill.exe
7040	taskkill.exe
6008	taskkill.exe
5872	taskkill.exe
5948	taskkill.exe
6640	taskkill.exe
7148	taskkill.exe
6140	taskkill.exe
5536	taskkill.exe
6400	taskkill.exe
1896	taskkill.exe
5772	taskkill.exe
5628	taskkill.exe
6700	taskkill.exe
6808	taskkill.exe
6860	taskkill.exe
6976	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{8A730F81-FA02-4F3B-B546-419256594C76}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5192	PING.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	6008	taskkill.exe
Token: SeDebugPrivilege	6140	taskkill.exe
Token: SeDebugPrivilege	5156	taskkill.exe
Token: SeDebugPrivilege	5668	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	5872	taskkill.exe
Token: SeDebugPrivilege	6048	taskkill.exe
Token: SeDebugPrivilege	5480	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5772	taskkill.exe
Token: SeDebugPrivilege	5628	taskkill.exe
Token: SeDebugPrivilege	6064	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5276	taskkill.exe
Token: SeDebugPrivilege	5456	taskkill.exe
Token: SeDebugPrivilege	6000	taskkill.exe
Token: SeDebugPrivilege	5900	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	6156	taskkill.exe
Token: SeDebugPrivilege	6216	taskkill.exe
Token: SeDebugPrivilege	6280	taskkill.exe
Token: SeDebugPrivilege	6340	taskkill.exe
Token: SeDebugPrivilege	6400	taskkill.exe
Token: SeDebugPrivilege	6464	taskkill.exe
Token: SeDebugPrivilege	6524	taskkill.exe
Token: SeDebugPrivilege	6580	taskkill.exe
Token: SeDebugPrivilege	6640	taskkill.exe
Token: SeDebugPrivilege	6700	taskkill.exe
Token: SeDebugPrivilege	6756	taskkill.exe
Token: SeDebugPrivilege	6808	taskkill.exe
Token: SeDebugPrivilege	6860	taskkill.exe
Token: SeDebugPrivilege	6912	taskkill.exe
Token: SeDebugPrivilege	6976	taskkill.exe
Token: SeDebugPrivilege	7040	taskkill.exe
Token: SeDebugPrivilege	7092	taskkill.exe
Token: SeDebugPrivilege	7148	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	6248	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe
Token: SeShutdownPrivilege	6224	explorer.exe
Token: SeCreatePagefilePrivilege	6224	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe
6224	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3720	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 2620 wrote to memory of 3720	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 2620 wrote to memory of 3720	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	83
PID 3720 wrote to memory of 3560	3720	net.exe	85
PID 3720 wrote to memory of 3560	3720	net.exe	85
PID 3720 wrote to memory of 3560	3720	net.exe	85
PID 2620 wrote to memory of 3136	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 2620 wrote to memory of 3136	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 2620 wrote to memory of 3136	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	86
PID 3136 wrote to memory of 3880	3136	net.exe	88
PID 3136 wrote to memory of 3880	3136	net.exe	88
PID 3136 wrote to memory of 3880	3136	net.exe	88
PID 2620 wrote to memory of 4968	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 2620 wrote to memory of 4968	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 2620 wrote to memory of 4968	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	89
PID 4968 wrote to memory of 3940	4968	net.exe	91
PID 4968 wrote to memory of 3940	4968	net.exe	91
PID 4968 wrote to memory of 3940	4968	net.exe	91
PID 2620 wrote to memory of 2440	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 2620 wrote to memory of 2440	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 2620 wrote to memory of 2440	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	92
PID 2440 wrote to memory of 1280	2440	net.exe	94
PID 2440 wrote to memory of 1280	2440	net.exe	94
PID 2440 wrote to memory of 1280	2440	net.exe	94
PID 2620 wrote to memory of 1288	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 2620 wrote to memory of 1288	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 2620 wrote to memory of 1288	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	95
PID 1288 wrote to memory of 1740	1288	net.exe	97
PID 1288 wrote to memory of 1740	1288	net.exe	97
PID 1288 wrote to memory of 1740	1288	net.exe	97
PID 2620 wrote to memory of 3960	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 2620 wrote to memory of 3960	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 2620 wrote to memory of 3960	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	98
PID 3960 wrote to memory of 4784	3960	net.exe	100
PID 3960 wrote to memory of 4784	3960	net.exe	100
PID 3960 wrote to memory of 4784	3960	net.exe	100
PID 2620 wrote to memory of 3904	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 2620 wrote to memory of 3904	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 2620 wrote to memory of 3904	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	101
PID 3904 wrote to memory of 100	3904	net.exe	103
PID 3904 wrote to memory of 100	3904	net.exe	103
PID 3904 wrote to memory of 100	3904	net.exe	103
PID 2620 wrote to memory of 3004	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 2620 wrote to memory of 3004	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 2620 wrote to memory of 3004	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	104
PID 3004 wrote to memory of 1884	3004	net.exe	106
PID 3004 wrote to memory of 1884	3004	net.exe	106
PID 3004 wrote to memory of 1884	3004	net.exe	106
PID 2620 wrote to memory of 5012	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 2620 wrote to memory of 5012	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 2620 wrote to memory of 5012	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	107
PID 5012 wrote to memory of 4492	5012	net.exe	109
PID 5012 wrote to memory of 4492	5012	net.exe	109
PID 5012 wrote to memory of 4492	5012	net.exe	109
PID 2620 wrote to memory of 4328	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 2620 wrote to memory of 4328	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 2620 wrote to memory of 4328	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	110
PID 4328 wrote to memory of 116	4328	net.exe	112
PID 4328 wrote to memory of 116	4328	net.exe	112
PID 4328 wrote to memory of 116	4328	net.exe	112
PID 2620 wrote to memory of 2396	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 2620 wrote to memory of 2396	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 2620 wrote to memory of 2396	2620	2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe	113
PID 2396 wrote to memory of 4600	2396	net.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\net.exe
  net stop "Acronis VSS Provider" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3⤵
    PID:3560
- C:\Windows\SysWOW64\net.exe
  net stop "Enterprise Client Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3⤵
    PID:3880
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Agent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos AutoUpdate Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1280
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Clean Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3⤵
    PID:1740
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Device Control Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    3⤵
    PID:4784
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos File Scanner Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3⤵
    PID:100
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Health Service" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3⤵
    PID:1884
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Agent" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3⤵
    PID:4492
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos MCS Client" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3⤵
    PID:116
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Message Router" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3⤵
    PID:4600
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Safestore Service" /y
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3⤵
    PID:348
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos System Protection Service" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3⤵
    PID:2472
- C:\Windows\SysWOW64\net.exe
  net stop "Sophos Web Control Service" /y
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    3⤵
    PID:4116
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Backup Service" /y
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
- C:\Windows\SysWOW64\net.exe
  net stop "SQLsafe Filter Service" /y
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- C:\Windows\SysWOW64\net.exe
  net stop "Symantec System Recovery" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3⤵
    PID:4716
- C:\Windows\SysWOW64\net.exe
  net stop "Veeam Backup Catalog Data Service" /y
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3⤵
    PID:1556
- C:\Windows\SysWOW64\net.exe
  net stop "AcronisAgent" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcronisAgent" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- C:\Windows\SysWOW64\net.exe
  net stop "AcrSch2Svc" /y
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AcrSch2Svc" /y
    3⤵
    PID:3432
- C:\Windows\SysWOW64\net.exe
  net stop "Antivirus" /y
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Antivirus" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
- C:\Windows\SysWOW64\net.exe
  net stop "ARSM" /y
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ARSM" /y
    3⤵
    PID:4392
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentAccelerator" /y
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
    3⤵
    PID:4588
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecAgentBrowser" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
    3⤵
    PID:2276
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecDeviceMediaService" /y
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
    3⤵
    PID:4760
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecJobEngine" /y
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecManagementService" /y
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecManagementService" /y
    3⤵
    PID:768
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecRPCService" /y
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecRPCService" /y
    3⤵
    PID:4500
- C:\Windows\SysWOW64\net.exe
  net stop "BackupExecVSSProvider" /y
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
    3⤵
    PID:2036
- C:\Windows\SysWOW64\net.exe
  net stop "bedbg" /y
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "bedbg" /y
    3⤵
    PID:3036
- C:\Windows\SysWOW64\net.exe
  net stop "DCAgent" /y
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "DCAgent" /y
    3⤵
    PID:1212
- C:\Windows\SysWOW64\net.exe
  net stop "EPSecurityService" /y
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPSecurityService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\net.exe
  net stop "EPUpdateService" /y
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EPUpdateService" /y
    3⤵
    PID:1284
- C:\Windows\SysWOW64\net.exe
  net stop "EraserSvc11710" /y
  2⤵
  PID:396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EraserSvc11710" /y
    3⤵
    PID:1444
- C:\Windows\SysWOW64\net.exe
  net stop "EsgShKernel" /y
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EsgShKernel" /y
    3⤵
    PID:4240
- C:\Windows\SysWOW64\net.exe
  net stop "FA_Scheduler" /y
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "FA_Scheduler" /y
    3⤵
    PID:5044
- C:\Windows\SysWOW64\net.exe
  net stop "IISAdmin" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISAdmin" /y
    3⤵
    PID:3284
- C:\Windows\SysWOW64\net.exe
  net stop "IMAP4Svc" /y
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IMAP4Svc" /y
    3⤵
    PID:1016
- C:\Windows\SysWOW64\net.exe
  net stop "macmnsvc" /y
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "macmnsvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- C:\Windows\SysWOW64\net.exe
  net stop "masvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "masvc" /y
    3⤵
    PID:1260
- C:\Windows\SysWOW64\net.exe
  net stop "MBAMService" /y
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBAMService" /y
    3⤵
    PID:4932
- C:\Windows\SysWOW64\net.exe
  net stop "MBEndpointAgent" /y
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MBEndpointAgent" /y
    3⤵
    PID:3636
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeEngineService" /y
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeEngineService" /y
    3⤵
    PID:3376
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFramework" /y
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFramework" /y
    3⤵
    PID:1336
- C:\Windows\SysWOW64\net.exe
  net stop "McAfeeFrameworkMcAfeeFramework" /y
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
    3⤵
    PID:4728
- C:\Windows\SysWOW64\net.exe
  net stop "McShield" /y
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:1344
- C:\Windows\SysWOW64\net.exe
  net stop "McTaskManager" /y
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "McTaskManager" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\net.exe
  net stop "mfemms" /y
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfemms" /y
    3⤵
    PID:2144
- C:\Windows\SysWOW64\net.exe
  net stop "mfevtp" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfevtp" /y
    3⤵
    PID:4576
- C:\Windows\SysWOW64\net.exe
  net stop "MMS" /y
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MMS" /y
    3⤵
    PID:376
- C:\Windows\SysWOW64\net.exe
  net stop "mozyprobackup" /y
  2⤵
  PID:924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mozyprobackup" /y
    3⤵
    PID:112
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer" /y
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer" /y
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer100" /y
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer100" /y
    3⤵
    PID:3360
- C:\Windows\SysWOW64\net.exe
  net stop "MsDtsServer110" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110" /y
    3⤵
    PID:4068
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeES" /y
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeES" /y
    3⤵
    PID:2156
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeIS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS" /y
    3⤵
    PID:2340
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMGMT" /y
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
    3⤵
    PID:5028
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeMTA" /y
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeMTA" /y
    3⤵
    PID:628
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA" /y
    3⤵
    PID:4836
- C:\Windows\SysWOW64\net.exe
  net stop "MSExchangeSRS" /y
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSRS" /y
    3⤵
    PID:4992
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SQL_2008" /y
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
    3⤵
    PID:2336
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$SYSTEM_BGC" /y
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
    3⤵
    PID:4432
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPS" /y
  2⤵
  PID:836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
    3⤵
    PID:2040
- C:\Windows\SysWOW64\net.exe
  net stop "MSOLAP$TPSAMA" /y
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$BKUPEXEC" /y
  2⤵
  PID:556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
    3⤵
    PID:3816
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$ECWDB2" /y
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
    3⤵
    PID:696
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTICEMGT" /y
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
    3⤵
    PID:2764
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PRACTTICEBGC" /y
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3308
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROFXENGAGEMENT" /y
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
    3⤵
    PID:4604
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SBSMONITORING" /y
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
    3⤵
    PID:332
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SHAREPOINT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3452
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQL_2008" /y
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
    3⤵
    PID:4572
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SYSTEM_BGC" /y
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
    3⤵
    PID:3380
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPS" /y
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPS" /y
    3⤵
    PID:3684
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$TPSAMA" /y
  2⤵
  PID:956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
    3⤵
    PID:4132
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:4788
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2012" /y
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
    3⤵
    PID:4400
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher" /y
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
    3⤵
    PID:3112
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
    3⤵
    PID:1944
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SBSMONITORING" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
    3⤵
    PID:1064
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SHAREPOINT" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SQL_2008" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
    3⤵
    PID:4648
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
    3⤵
    PID:1672
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPS" /y
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLFDLauncher$TPSAMA" /y
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLSERVER" /y
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLSERVER" /y
    3⤵
    PID:1864
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper100" /y
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
    3⤵
    PID:5108
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerOLAPService" /y
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
    3⤵
    PID:4528
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL80" /y
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL80" /y
    3⤵
    PID:4452
- C:\Windows\SysWOW64\net.exe
  net stop "MySQL57" /y
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MySQL57" /y
    3⤵
    PID:640
- C:\Windows\SysWOW64\net.exe
  net stop "ntrtscan" /y
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ntrtscan" /y
    3⤵
    PID:1124
- C:\Windows\SysWOW64\net.exe
  net stop "OracleClientCache80" /y
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "OracleClientCache80" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372
- C:\Windows\SysWOW64\net.exe
  net stop "PDVFSService" /y
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "PDVFSService" /y
    3⤵
    PID:2528
- C:\Windows\SysWOW64\net.exe
  net stop "POP3Svc" /y
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "POP3Svc" /y
    3⤵
    PID:4504
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer" /y
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer" /y
    3⤵
    PID:4472
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SQL_2008" /y
  2⤵
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
    3⤵
    PID:3332
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$SYSTEM_BGC" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPS" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPS" /y
    3⤵
    PID:592
- C:\Windows\SysWOW64\net.exe
  net stop "ReportServer$TPSAMA" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
    3⤵
    PID:1948
- C:\Windows\SysWOW64\net.exe
  net stop "RESvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "RESvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3744
- C:\Windows\SysWOW64\net.exe
  net stop "sacsvr" /y
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sacsvr" /y
    3⤵
    PID:916
- C:\Windows\SysWOW64\net.exe
  net stop "SamSs" /y
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:1200
- C:\Windows\SysWOW64\net.exe
  net stop "SAVAdminService" /y
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVAdminService" /y
    3⤵
    PID:1820
- C:\Windows\SysWOW64\net.exe
  net stop "SAVService" /y
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SAVService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- C:\Windows\SysWOW64\net.exe
  net stop "SDRSVC" /y
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:3268
- C:\Windows\SysWOW64\net.exe
  net stop "SepMasterService" /y
  2⤵
  PID:944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SepMasterService" /y
    3⤵
    PID:3188
- C:\Windows\SysWOW64\net.exe
  net stop "ShMonitor" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShMonitor" /y
    3⤵
    PID:5104
- C:\Windows\SysWOW64\net.exe
  net stop "Smcinst" /y
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Smcinst" /y
    3⤵
    PID:468
- C:\Windows\SysWOW64\net.exe
  net stop "SmcService" /y
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SmcService" /y
    3⤵
    PID:4340
- C:\Windows\SysWOW64\net.exe
  net stop "SMTPSvc" /y
  2⤵
  PID:452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SMTPSvc" /y
    3⤵
    PID:2424
- C:\Windows\SysWOW64\net.exe
  net stop "SNAC" /y
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SNAC" /y
    3⤵
    PID:212
- C:\Windows\SysWOW64\net.exe
  net stop "SntpService" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SntpService" /y
    3⤵
    PID:436
- C:\Windows\SysWOW64\net.exe
  net stop "sophossps" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "sophossps" /y
    3⤵
    PID:4416
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$BKUPEXEC" /y
  2⤵
  PID:4568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
    3⤵
    PID:3800
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$ECWDB2" /y
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
    3⤵
    PID:3212
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEBGC" /y
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
    3⤵
    PID:5032
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PRACTTICEMGT" /y
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
    3⤵
    PID:1828
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROFXENGAGEMENT" /y
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
    3⤵
    PID:2784
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SBSMONITORING" /y
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
    3⤵
    PID:1100
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SHAREPOINT" /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
    3⤵
    PID:2512
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQL_2008" /y
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
    3⤵
    PID:4384
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SYSTEM_BGC" /y
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
    3⤵
    PID:1172
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPS" /y
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
    3⤵
    PID:3844
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$TPSAMA" /y
  2⤵
  PID:704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
    3⤵
    PID:1136
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:1404
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2012" /y
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
    3⤵
    PID:1400
- C:\Windows\SysWOW64\net.exe
  net stop "SQLBrowser" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser" /y
    3⤵
    PID:724
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSafeOLRService" /y
  2⤵
  PID:392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- C:\Windows\SysWOW64\net.exe
  net stop "SQLSERVERAGENT" /y
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY" /y
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
    3⤵
    PID:5020
- C:\Windows\SysWOW64\net.exe
  net stop "SQLTELEMETRY$ECWDB2" /y
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
    3⤵
    PID:3740
- C:\Windows\SysWOW64\net.exe
  net stop "SQLWriter" /y
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter" /y
    3⤵
    PID:5184
- C:\Windows\SysWOW64\net.exe
  net stop "SstpSvc" /y
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5248
- C:\Windows\SysWOW64\net.exe
  net stop "svcGenericHost" /y
  2⤵
  PID:5264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "svcGenericHost" /y
    3⤵
    PID:5312
- C:\Windows\SysWOW64\net.exe
  net stop "swi_filter" /y
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_filter" /y
    3⤵
    PID:5376
- C:\Windows\SysWOW64\net.exe
  net stop "swi_service" /y
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_service" /y
    3⤵
    PID:5444
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update_64" /y
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update_64" /y
    3⤵
    PID:5508
- C:\Windows\SysWOW64\net.exe
  net stop "TmCCSF" /y
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TmCCSF" /y
    3⤵
    PID:5572
- C:\Windows\SysWOW64\net.exe
  net stop "tmlisten" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "tmlisten" /y
    3⤵
    PID:5636
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKey" /y
  2⤵
  PID:5652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKey" /y
    3⤵
    PID:5700
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyScheduler" /y
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5764
- C:\Windows\SysWOW64\net.exe
  net stop "TrueKeyServiceHelper" /y
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
    3⤵
    PID:5828
- C:\Windows\SysWOW64\net.exe
  net stop "UI0Detect" /y
  2⤵
  PID:5848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:5896
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBackupSvc" /y
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamBrokerSvc" /y
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
    3⤵
    PID:6024
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCatalogSvc" /y
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
    3⤵
    PID:6088
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamCloudSvc" /y
  2⤵
  PID:6104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploymentService" /y
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5160
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamDeploySvc" /y
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
    3⤵
    PID:5228
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamEnterpriseManagerSvc" /y
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
    3⤵
    PID:5348
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamMountSvc" /y
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamMountSvc" /y
    3⤵
    PID:5452
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamNFSSvc" /y
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
    3⤵
    PID:5504
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamRESTSvc" /y
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
    3⤵
    PID:5560
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamTransportSvc" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
    3⤵
    PID:5596
- C:\Windows\SysWOW64\net.exe
  net stop "W3Svc" /y
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "W3Svc" /y
    3⤵
    PID:5728
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5836
- C:\Windows\SysWOW64\net.exe
  net stop "WRSVC" /y
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WRSVC" /y
    3⤵
    PID:5892
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$VEEAMSQL2008R2" /y
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
    3⤵
    PID:5944
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$VEEAMSQL2008R2" /y
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
    3⤵
    PID:6060
- C:\Windows\SysWOW64\net.exe
  net stop "VeeamHvIntegrationSvc" /y
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- C:\Windows\SysWOW64\net.exe
  net stop "swi_update" /y
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "swi_update" /y
    3⤵
    PID:5180
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CXDB" /y
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5380
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$CITRIX_METAFRAME" /y
  2⤵
  PID:5344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5448
- C:\Windows\SysWOW64\net.exe
  net stop "SQL Backups" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQL Backups" /y
    3⤵
    PID:5520
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$PROD" /y
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$PROD" /y
    3⤵
    PID:5576
- C:\Windows\SysWOW64\net.exe
  net stop "Zoolz 2 Service" /y
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
    3⤵
    PID:5776
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQLServerADHelper" /y
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
    3⤵
    PID:5824
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$PROD" /y
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
    3⤵
    PID:5864
- C:\Windows\SysWOW64\net.exe
  net stop "msftesql$PROD" /y
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "msftesql$PROD" /y
    3⤵
    PID:5956
- C:\Windows\SysWOW64\net.exe
  net stop "NetMsmqActivator" /y
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:6080
- C:\Windows\SysWOW64\net.exe
  net stop "EhttpSrv" /y
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "EhttpSrv" /y
    3⤵
    PID:5188
- C:\Windows\SysWOW64\net.exe
  net stop "ekrn" /y
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ekrn" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5240
- C:\Windows\SysWOW64\net.exe
  net stop "ESHASRV" /y
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ESHASRV" /y
    3⤵
    PID:5272
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SOPHOS" /y
  2⤵
  PID:5316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
    3⤵
    PID:5532
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SOPHOS" /y
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
    3⤵
    PID:5768
- C:\Windows\SysWOW64\net.exe
  net stop "AVP" /y
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "AVP" /y
    3⤵
    PID:5752
- C:\Windows\SysWOW64\net.exe
  net stop "klnagent" /y
  2⤵
  PID:5868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "klnagent" /y
    3⤵
    PID:5832
- C:\Windows\SysWOW64\net.exe
  net stop "MSSQL$SQLEXPRESS" /y
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6056
- C:\Windows\SysWOW64\net.exe
  net stop "SQLAgent$SQLEXPRESS" /y
  2⤵
  PID:812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
    3⤵
    PID:5172
- C:\Windows\SysWOW64\net.exe
  net stop "wbengine" /y
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5244
- C:\Windows\SysWOW64\net.exe
  net stop "kavfsslp" /y
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "kavfsslp" /y
    3⤵
    PID:5436
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFSGT" /y
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFSGT" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5516
- C:\Windows\SysWOW64\net.exe
  net stop "KAVFS" /y
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "KAVFS" /y
    3⤵
    PID:5640
- C:\Windows\SysWOW64\net.exe
  net stop "mfefire" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mfefire" /y
    3⤵
    PID:5808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM zoolz.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM agntsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbeng50.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM dbsnmp.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM encsvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM excel.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefoxconfig.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM infopath.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM isqlplussvc.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msaccess.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msftesql.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mspub.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopqos.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mydesktopservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-nt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mysqld-opt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocautoupds.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocomm.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM ocssd.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM onenote.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM oracle.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM outlook.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM powerpnt.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqbcoreservice.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlagent.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlservr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM sqlwriter.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6524
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM steam.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM synctime.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tbirdconfig.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thebat64.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM thunderbird.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM visio.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM winword.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM wordpad.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM xfssvccon.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM tmlisten.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM PccNTMon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM CNTAoSMgr.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM Ntrtscan.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM mbamtray.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\2025-01-25_bdf6ac02664baea655b103d50bdfd6ec_avoslocker_cobalt-strike_luca-stealer.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5928
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 4936
  2⤵
  - Program crash
  PID:6764

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2620 -ip 2620
1⤵
PID:6572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini

Filesize
488B

MD5
3a8067a8a03d844f8bfb4d07fc3837ee

SHA1
5a38e56cae3e23335e864fddc275f594faaf8e1d

SHA256
492c7c550ac83c2a50a9e415521f7c47b83caae047aba0c9baf29d8ae6b1fb2e

SHA512
c97a8f9a93eec46f2b16b6b275e936d336e09679d3a1456573540fae4569957e935b56542eb13ec8ad96b82d06a353fad020ac590c44c0d4cc17564188dc4374

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

Filesize
623KB

MD5
cb9194d1652d1b7adf133a7115bd115b

SHA1
544375c044b7539bc40ac7e3d57b151d25c9ffb4

SHA256
25dfbf1577f69577316885886ca3fa56888c633c83787a5b3c90c06f6c433098

SHA512
82b25ab4d15adbfc45b9d7079f9d0b7aad2f587cb7f75001cdb570d524462c31287ad4bdcadd7c0a923eb7eaae291caf491eb3ad6d3136cd11be5e56c0cd96b8

Download Submit
F:\!!!READ_ME_MEDUSA!!!.txt

Filesize
3KB

MD5
eb325d190d7581289d070d081cb7e7e6

SHA1
225bedff90495c4260ec907feddb724b5aafaef7

SHA256
6cf8ba92114861b06da7f1d1259c8b5cfe2467dffcf9c22d734cafe0bdb338c5

SHA512
23c51b03ff4eaa4d21c44a2292a01d4bc5707268a46feee284813263b96cda501da3d4293abff4cc8e376dd0b7d88e0e1d6ce8ebb1fcebeed3117bc9bb2c297c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads