Malware Analysis Report

2024-09-11 02:34

Sample ID 240704-lc3v6atgjm
Target 20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker
SHA256 6112da76e670a9c450c3f55c1bcafe22ddd199983470ab8d7e24c03688524387
Tags
medusalocker defense_evasion evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6112da76e670a9c450c3f55c1bcafe22ddd199983470ab8d7e24c03688524387

Threat Level: Known bad

The file 20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker was found to be: Known bad.

Malicious Activity Summary

medusalocker defense_evasion evasion execution impact persistence ransomware spyware stealer

Medusalocker family

MedusaLocker payload

Renames multiple (912) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (717) files with added filename extension

Drops file in Drivers directory

Deletes System State backups

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Direct Volume Access
T1006
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 09:24

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 09:24

Reported

2024-07-04 09:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (912) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe\" e" C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\a4ad412a-3915-4550-8bba-72246c19e5e1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\665bc9f6-7f2d-490a-af1a-6cf01053efa7 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SAM C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\DEFAULT C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SYSTEM C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\SOFTWARE C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\DEFAULT C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\a4ad412a-3915-4550-8bba-72246c19e5e1.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7e3cc138-ca73-428a-95ae-ba81cc3e5599.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\SECURITY C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\665bc9f6-7f2d-490a-af1a-6cf01053efa7.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\7e3cc138-ca73-428a-95ae-ba81cc3e5599 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\SOFTWARE C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayenne.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Accra.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Budapest C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Araguaina C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Denver C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Fortaleza C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Almaty.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Panther\setupinfo C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\dewindow C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_3 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Boot\DVD\EFI\BCD C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\enwindow C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Boot\DVD\PCAT\BCD C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th1 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th2 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th0 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Boot\PCAT\bootmgr C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\vssadmin.exe
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\bcdedit.exe
PID 2104 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\wbadmin.exe
PID 2104 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\System32\Wbem\wmic.exe
PID 2104 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\System32\Wbem\wmic.exe
PID 2104 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\System32\Wbem\wmic.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe

"C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\202407~1.EXE >> NUL

Network

N/A

Files

C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\!!!HOW_TO_DECRYPT!!!.mht

MD5 8a2471b0964b0d7db0e445ca2f1e7cb1
SHA1 0390b882c357780e499ab8c09719d4712204a77d
SHA256 deb2346fc826267262737d588fb734f9633033ba19beb525fca8ea8e858c5829
SHA512 a5d985cfe274efbaa71c047b0810324dca18df2779715a774cc95ac187246b48c3c773c7ef74de8cb6b3272863b1023af981eca64a62b031c654bd4bfd4066a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 09:24

Reported

2024-07-04 09:26

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Renames multiple (717) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\wbadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\services C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\networks.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe\" e" C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\ELAM.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\system32\CatRoot2\edbres00002.jrs C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\edb.chk C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\ResPriImageListLowCost C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\BCD-Template C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73b1fb18-2342-425d-93a4-2f2897256b03 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\ResPriHMImageListLowCost C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\COMPONENTS.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\DRIVERS.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\BBI C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\SOFTWARE C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\eb6b0174-c98b-4422-934f-872812cfa039.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73b1fb18-2342-425d-93a4-2f2897256b03.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\DEFAULT C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\bc50a4a9-b4b9-420a-b453-3b605987ef97.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\system32\CatRoot2\edbtmp.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\CatRoot2\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\1757fe63-e7ad-4838-9a80-f4d19aa7ca3f.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\MsEdgeCrashpad\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\postSigningData C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_d2547453-e731-4fdf-8f92-95f955a44aca.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Panther\setupinfo C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Boot\DVD\PCAT\BCD C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Panther\setupinfo.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{71024AE4-039E-4CA4-87B4-2F64180401F0}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\SYSTEM32\wbadmin.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.1btc C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Boot\DVD\EFI\BCD C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52 C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.inprocess C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2} C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\vssadmin.exe
PID 3436 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3436 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3436 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3436 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\bcdedit.exe
PID 3436 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3436 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3436 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3436 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\SYSTEM32\wbadmin.exe
PID 3436 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\System32\Wbem\wmic.exe
PID 3436 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\System32\Wbem\wmic.exe
PID 3436 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe

"C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe"

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled No

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SYSTEM32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\202407~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht

MD5 c9adc207ece8f4e5743c9de9c2f8e766
SHA1 577a5e4874b0f4fcd6d5c70fbe6137298f571fa3
SHA256 7de544b06816575355f2992daa7b580bf2f91e52fd73be0b0b66c043ba5db1e3
SHA512 155d255dfcebca5823e688bd468364e8e56233618b236dc8b311bbcf316b05a08cfc05c7bf697e0294d626b95ccbbe2584f77922d50d30441ba8675838040815

memory/2372-1069-0x0000027694770000-0x0000027694780000-memory.dmp

memory/2372-1075-0x00000276947D0000-0x00000276947E0000-memory.dmp

memory/2372-1103-0x0000027698AE0000-0x0000027698AE1000-memory.dmp

memory/2372-1105-0x0000027698B80000-0x0000027698B81000-memory.dmp

memory/2372-1107-0x0000027698B80000-0x0000027698B81000-memory.dmp

memory/2372-1108-0x0000027698CC0000-0x0000027698CC1000-memory.dmp

memory/2372-1109-0x0000027698CE0000-0x0000027698CE1000-memory.dmp

memory/2372-1112-0x0000027698DC0000-0x0000027698DC1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc

MD5 f825e0285e56dc0bdf4d638a4f9507da
SHA1 576d2b292e349b5e9091945e591677d49ce605b0
SHA256 3698ac77f77d3a0a2a0406f287cc006087d89a07d855ace1b08edaafaec47d01
SHA512 e54b19e9ac2e9a5617f486b21ea4071196b8d13cecf1f27a1a6229d56731256b9f43f5f889e77feaac4df5e8d8d7f71aa45c7fe0517ce96ca891e516db9bd672

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc

MD5 18dc905467a2ecfa7b27cf8f0e43a611
SHA1 cd2ba2e5ccf04b9f5a59d9964384eb56e75b369f
SHA256 cff6bfb51ce88ef42b6fec3a89ad590bec1b500473ae23cb59fe6effe3ede07e
SHA512 a1f7e799bfb77a5dcfe1e3edf16c399d2cd87836c82fc48fb81ae9e79d94ee5a38f3e1f26083a2f7684c22a6b5bd4cd973ad31cd72c1841355bf87c1011ff2ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc

MD5 655f4258dab1c4cd39af55015236d7ee
SHA1 9f865b4d89105f29e309c46b92bf03d0c554a9fa
SHA256 68f1d3a251806a01b79ebc2cf93d4e3af973b96d427bf2f42f911d15eca340d6
SHA512 6b44bc94967cd49ac7992ea1328e2f2515aab1cd9ea88000b743079f83e07fe5fbca1f62cb6c6901875e1feef2dddf20b27574a6598492c8b0ccca243d793d33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc

MD5 e9f01332401e643deccabfcb294ac3bd
SHA1 62fcee05d3055a416f9867208936e8f56d97ae66
SHA256 1f4afdf97f00eb76e94eb798daab3581fae062eed840ba12621ff46d3570e6a0
SHA512 0dbb01aace59f93a447c7fbe00bcbb292f70da827f13e12f065404fa70c875723f40c6598020ae10fce93c43fce5a5131a21fa93cb5353f9d4c604c6c0b9a588

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc

MD5 897ee1f15ffeaf1a72903f24d7877247
SHA1 941b9fd34ef75688b7b8b87dc184033efefcb3e7
SHA256 919d98650f30ee7a7f32ec30a515b07ec6c4dc408b4c7476c710fa4ddf87d14c
SHA512 c0ccc2e6881fe895840c2eb2d1ff45d8b723ab81be03cb244960784b776314decc12ea936d4a85307c5a5c242426af9414ba0d94526b6e765ae123416da8791b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc

MD5 72b5b45e086f05351cbb59c135f8b006
SHA1 693281f77336c17141be210be4a840bcd3f7f613
SHA256 196686971424dcea3463199d3e6904ba950d2e1bc37092501221ac693e1816d0
SHA512 5436d532ada04e5d270e80a6402460b3a5a2695043b1355f98081214babe9b9e03bc1715e44a5324d70c9871f50ff25ed58ea6ee2a674113f723578d9ae8d169

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc

MD5 f2aaaa6a79258309613789ac50f845db
SHA1 5d2fee86d02acd8f81aa3aaa18ee26c47b0caf9b
SHA256 6aa9c9c7cf19ba4e59ea00a2b3df6aa843310b9f61a5fdf4e2dfe8b3a842790c
SHA512 aafa09c7d073c695299fa860371cdce360587a8e1b02776145248357aac09de7d6ce85d32470249d38e709653ee7c1ff27ed9c73a2b96ffadbc74c21b84b3c53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 ff51eb94d634d2871caa30ec33d09dc1
SHA1 dd8d38b2f22e151da928bbf9f6ee673ffd1a61f3
SHA256 6cd5841cbd7bd291db200bfd4c6f5b79a75d0fc4747d2e183c8846b01125c812
SHA512 47c32c5f8629b1c842c4cf22fda0ed23687cfc679a233240fdb3197576ca915d08a0f6778288d50d870f956f9fcbf7d13408f1afb8f38bed3e4fb7545d9011dc