Malware Analysis Report

2024-12-07 17:08

Sample ID 241019-ztk9bsydqd
Target b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12
SHA256 b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12
Tags
medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12

Threat Level: Known bad

The file b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12 was found to be: Known bad.

Malicious Activity Summary

medusaransomware credential_access defense_evasion discovery execution impact ransomware spyware stealer persistence

Medusa Ransomware

Deletes shadow copies

Renames multiple (8878) files with added filename extension

Renames multiple (8841) files with added filename extension

Boot or Logon Autostart Execution: Active Setup

Reads user/profile data of web browsers

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Enumerates connected drives

Drops desktop.ini file(s)

Network Share Discovery

Drops file in Program Files directory

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

System Network Configuration Discovery: Internet Connection Discovery

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies registry class

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Kills process with taskkill

Runs net.exe

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 21:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 21:00

Reported

2024-10-19 21:03

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8841) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\39RANI6K\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U3EGUGI8\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00242_.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\ChkrRes.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\TIME.XML C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1708 wrote to memory of 2204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1708 wrote to memory of 2204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1708 wrote to memory of 2204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1708 wrote to memory of 2204 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2476 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2476 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2476 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2476 wrote to memory of 2704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2700 wrote to memory of 2788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2788 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2804 wrote to memory of 2864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2804 wrote to memory of 2864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2804 wrote to memory of 2864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2804 wrote to memory of 2864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2952 wrote to memory of 2944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2952 wrote to memory of 2944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2952 wrote to memory of 2944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2728 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2872 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2872 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2872 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2872 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1984 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1984 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe

"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 164

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

Network

N/A

Files

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 90f8ae3147b5b19654d393f919ca6b4d
SHA1 dc617ea786f31a4bf22612b73d22566c71cc9e9a
SHA256 e66bb2216c78f98b47c3a709b9d81f7f614b1015dc451f45b94192d8ac4b1715
SHA512 365cd5276b1970177b06b0afb8437f8decdebe3f8048bbe052490e6713aa51514ae40333103cd0a8ff5955f3a4004e789ccb948640ba2655c1f3d5ca76e8ce4d

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini

MD5 4b35dd80e2b6865bbdc14947c33a412f
SHA1 fbf9eee435678d06d90a8814b23d58aa5b116341
SHA256 1d8ff1787c44086bc399a6b86e20582b192127ab470e7ee6981cf8694549cc3e
SHA512 f535dffb458162892bdac24e6e4d3421d8db0120e20b01e201cdca414e44ab1f33109a3cbab5546700e94ff5f9af9f26a01feac4e670e65415c124ef3f807302

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 21:00

Reported

2024-10-19 21:03

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"

Signatures

Medusa Ransomware

ransomware medusaransomware

Renames multiple (8878) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Network Share Discovery

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ColorGeometryShader.cso C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Large.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.ps1 C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\!!!READ_ME_MEDUSA!!!.txt C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.png C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{084B122F-4F24-49B5-B0C6-B995721278F1} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 3664 wrote to memory of 2212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3664 wrote to memory of 2212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3664 wrote to memory of 2212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 3652 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 4684 wrote to memory of 4224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4684 wrote to memory of 4224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4684 wrote to memory of 4224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 4264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2612 wrote to memory of 4264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2612 wrote to memory of 4264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 4896 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4896 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4896 wrote to memory of 1500 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 4172 wrote to memory of 3708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4172 wrote to memory of 3708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4172 wrote to memory of 3708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 4244 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4244 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4244 wrote to memory of 1216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 4548 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4548 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4548 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 3424 wrote to memory of 964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3424 wrote to memory of 964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3424 wrote to memory of 964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 3336 wrote to memory of 4932 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3336 wrote to memory of 4932 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3336 wrote to memory of 4932 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2288 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 2288 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe C:\Windows\SysWOW64\net.exe
PID 1028 wrote to memory of 2648 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe

"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"

C:\Windows\SysWOW64\net.exe

net stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Acronis VSS Provider" /y

C:\Windows\SysWOW64\net.exe

net stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Enterprise Client Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Clean Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Device Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Health Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Agent" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos MCS Client" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Message Router" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Safestore Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos System Protection Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Sophos Web Control Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Symantec System Recovery" /y

C:\Windows\SysWOW64\net.exe

net stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y

C:\Windows\SysWOW64\net.exe

net stop "AcronisAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcronisAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AcrSch2Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "Antivirus" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Antivirus" /y

C:\Windows\SysWOW64\net.exe

net stop "ARSM" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ARSM" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecJobEngine" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecManagementService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecRPCService" /y

C:\Windows\SysWOW64\net.exe

net stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y

C:\Windows\SysWOW64\net.exe

net stop "bedbg" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "bedbg" /y

C:\Windows\SysWOW64\net.exe

net stop "DCAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "DCAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "EPSecurityService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPSecurityService" /y

C:\Windows\SysWOW64\net.exe

net stop "EPUpdateService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EPUpdateService" /y

C:\Windows\SysWOW64\net.exe

net stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EraserSvc11710" /y

C:\Windows\SysWOW64\net.exe

net stop "EsgShKernel" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EsgShKernel" /y

C:\Windows\SysWOW64\net.exe

net stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "FA_Scheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "IISAdmin" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IISAdmin" /y

C:\Windows\SysWOW64\net.exe

net stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "IMAP4Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "macmnsvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "macmnsvc" /y

C:\Windows\SysWOW64\net.exe

net stop "masvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "masvc" /y

C:\Windows\SysWOW64\net.exe

net stop "MBAMService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBAMService" /y

C:\Windows\SysWOW64\net.exe

net stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MBEndpointAgent" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeEngineService" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y

C:\Windows\SysWOW64\net.exe

net stop "McShield" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McShield" /y

C:\Windows\SysWOW64\net.exe

net stop "McTaskManager" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "McTaskManager" /y

C:\Windows\SysWOW64\net.exe

net stop "mfemms" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfemms" /y

C:\Windows\SysWOW64\net.exe

net stop "mfevtp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfevtp" /y

C:\Windows\SysWOW64\net.exe

net stop "MMS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MMS" /y

C:\Windows\SysWOW64\net.exe

net stop "mozyprobackup" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mozyprobackup" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer100" /y

C:\Windows\SysWOW64\net.exe

net stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MsDtsServer110" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeES" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeES" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeIS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMGMT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeMTA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSExchangeSRS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLSERVER" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL80" /y

C:\Windows\SysWOW64\net.exe

net stop "MySQL57" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MySQL57" /y

C:\Windows\SysWOW64\net.exe

net stop "ntrtscan" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ntrtscan" /y

C:\Windows\SysWOW64\net.exe

net stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "OracleClientCache80" /y

C:\Windows\SysWOW64\net.exe

net stop "PDVFSService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "PDVFSService" /y

C:\Windows\SysWOW64\net.exe

net stop "POP3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "POP3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "RESvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "RESvc" /y

C:\Windows\SysWOW64\net.exe

net stop "sacsvr" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sacsvr" /y

C:\Windows\SysWOW64\net.exe

net stop "SamSs" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVAdminService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVAdminService" /y

C:\Windows\SysWOW64\net.exe

net stop "SAVService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SAVService" /y

C:\Windows\SysWOW64\net.exe

net stop "SDRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "SepMasterService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SepMasterService" /y

C:\Windows\SysWOW64\net.exe

net stop "ShMonitor" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ShMonitor" /y

C:\Windows\SysWOW64\net.exe

net stop "Smcinst" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Smcinst" /y

C:\Windows\SysWOW64\net.exe

net stop "SmcService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SmcService" /y

C:\Windows\SysWOW64\net.exe

net stop "SMTPSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SMTPSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "SNAC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SNAC" /y

C:\Windows\SysWOW64\net.exe

net stop "SntpService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SntpService" /y

C:\Windows\SysWOW64\net.exe

net stop "sophossps" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "sophossps" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLBrowser" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLBrowser" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSafeOLRService" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLWriter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLWriter" /y

C:\Windows\SysWOW64\net.exe

net stop "SstpSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "svcGenericHost" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "svcGenericHost" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_filter" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_filter" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_service" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update_64" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update_64" /y

C:\Windows\SysWOW64\net.exe

net stop "TmCCSF" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TmCCSF" /y

C:\Windows\SysWOW64\net.exe

net stop "tmlisten" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "tmlisten" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKey" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKey" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyScheduler" /y

C:\Windows\SysWOW64\net.exe

net stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "UI0Detect" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBackupSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamCloudSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploymentService" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamDeploySvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamMountSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamNFSSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamRESTSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamTransportSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "W3Svc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "W3Svc" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "WRSVC" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "WRSVC" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y

C:\Windows\SysWOW64\net.exe

net stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y

C:\Windows\SysWOW64\net.exe

net stop "swi_update" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "swi_update" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y

C:\Windows\SysWOW64\net.exe

net stop "SQL Backups" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQL Backups" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Zoolz 2 Service" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "msftesql$PROD" /y

C:\Windows\SysWOW64\net.exe

net stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\SysWOW64\net.exe

net stop "EhttpSrv" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "EhttpSrv" /y

C:\Windows\SysWOW64\net.exe

net stop "ekrn" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ekrn" /y

C:\Windows\SysWOW64\net.exe

net stop "ESHASRV" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "ESHASRV" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y

C:\Windows\SysWOW64\net.exe

net stop "AVP" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AVP" /y

C:\Windows\SysWOW64\net.exe

net stop "klnagent" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "klnagent" /y

C:\Windows\SysWOW64\net.exe

net stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y

C:\Windows\SysWOW64\net.exe

net stop "wbengine" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SysWOW64\net.exe

net stop "kavfsslp" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "kavfsslp" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFSGT" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFSGT" /y

C:\Windows\SysWOW64\net.exe

net stop "KAVFS" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "KAVFS" /y

C:\Windows\SysWOW64\net.exe

net stop "mfefire" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "mfefire" /y

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM zoolz.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM agntsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbeng50.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM dbsnmp.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM encsvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM excel.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefoxconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM infopath.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM isqlplussvc.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msaccess.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msftesql.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mspub.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopqos.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mydesktopservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-nt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld-opt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocautoupds.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocomm.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM ocssd.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM onenote.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM oracle.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM outlook.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM powerpnt.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqbcoreservice.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlagent.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlbrowser.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlservr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM steam.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM synctime.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tbirdconfig.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thebat64.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM thunderbird.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM visio.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM winword.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM wordpad.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM xfssvccon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tmlisten.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM PccNTMon.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM CNTAoSMgr.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Ntrtscan.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mbamtray.exe /T

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2288 -ip 2288

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini

MD5 6e992cd2eb5d40be5ffe46810439ad14
SHA1 7c01160006915f3136c1183beb2d7e9868affcdf
SHA256 5b91c1a804cc92570ebff3dced2e1428e14b6132ca81e00bad84f9da7775d4f9
SHA512 2dea64e4df3708f20b0ac4de2e794333b871ef0373021bd9c4760a3ac6b1ef9df88ae222111772c3bc3754d15dfafd1e730525b65c3a045fdec482c703e928f4

F:\!!!READ_ME_MEDUSA!!!.txt

MD5 90f8ae3147b5b19654d393f919ca6b4d
SHA1 dc617ea786f31a4bf22612b73d22566c71cc9e9a
SHA256 e66bb2216c78f98b47c3a709b9d81f7f614b1015dc451f45b94192d8ac4b1715
SHA512 365cd5276b1970177b06b0afb8437f8decdebe3f8048bbe052490e6713aa51514ae40333103cd0a8ff5955f3a4004e789ccb948640ba2655c1f3d5ca76e8ce4d

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA

MD5 fa0e17172df22a28ffa06d2fdafed031
SHA1 3f5d4b7eaa6f4c4aba06737a6f96ce0ea8b139de
SHA256 b082257ef3bcdb91d2108b87372580d446956ee331ae90ee6e93aae8984e4078
SHA512 584c22b3762ae68193cab44258b56709423d4939c3f56a674fee32e5e491cdf0c862fab8fb692cadef78d9bfc31f3023c3a0514a4f2a4877c943cef9943732d6