Analysis Overview
SHA256
b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12
Threat Level: Known bad
The file b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12 was found to be: Known bad.
Malicious Activity Summary
Medusa Ransomware
Renames multiple (8891) files with added filename extension
Renames multiple (8663) files with added filename extension
Boot or Logon Autostart Execution: Active Setup
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Network Share Discovery
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Checks processor information in registry
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Runs net.exe
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 16:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 16:44
Reported
2024-10-20 16:46
Platform
win10v2004-20241007-en
Max time kernel
66s
Max time network
56s
Command Line
Signatures
Medusa Ransomware
Renames multiple (8891) files with added filename extension
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Network Share Discovery
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\RemoveStroke_Illustration.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Fonts\segxsym.ttf | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_ForwardDirection_DeskScale.jpg | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QSIGNOFF\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\uk-UA\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8.m4a | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\plugin.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{94AE2E56-FDD4-43D3-82CB-0CE68B201507} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe
"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"
C:\Windows\SysWOW64\net.exe
net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net.exe
net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Agent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos AutoUpdate Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Clean Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Device Control Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos File Scanner Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Health Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Agent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Client" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Message Router" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Safestore Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos System Protection Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Web Control Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Symantec System Recovery" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
C:\Windows\SysWOW64\net.exe
net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net.exe
net stop "AcronisAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "AcrSch2Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcrSch2Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "Antivirus" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Antivirus" /y
C:\Windows\SysWOW64\net.exe
net stop "ARSM" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ARSM" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecAgentAccelerator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecAgentBrowser" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecDeviceMediaService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecJobEngine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecManagementService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecRPCService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecVSSProvider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
C:\Windows\SysWOW64\net.exe
net stop "bedbg" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bedbg" /y
C:\Windows\SysWOW64\net.exe
net stop "DCAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DCAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "EPSecurityService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
C:\Windows\SysWOW64\net.exe
net stop "EPUpdateService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
C:\Windows\SysWOW64\net.exe
net stop "EraserSvc11710" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EraserSvc11710" /y
C:\Windows\SysWOW64\net.exe
net stop "EsgShKernel" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EsgShKernel" /y
C:\Windows\SysWOW64\net.exe
net stop "FA_Scheduler" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "FA_Scheduler" /y
C:\Windows\SysWOW64\net.exe
net stop "IISAdmin" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IISAdmin" /y
C:\Windows\SysWOW64\net.exe
net stop "IMAP4Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IMAP4Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "macmnsvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
C:\Windows\SysWOW64\net.exe
net stop "masvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
C:\Windows\SysWOW64\net.exe
net stop "MBAMService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
C:\Windows\SysWOW64\net.exe
net stop "MBEndpointAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeEngineService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeEngineService" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeFramework" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeFrameworkMcAfeeFramework" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
C:\Windows\SysWOW64\net.exe
net stop "McShield" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
C:\Windows\SysWOW64\net.exe
net stop "McTaskManager" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McTaskManager" /y
C:\Windows\SysWOW64\net.exe
net stop "mfemms" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
C:\Windows\SysWOW64\net.exe
net stop "mfevtp" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfevtp" /y
C:\Windows\SysWOW64\net.exe
net stop "MMS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MMS" /y
C:\Windows\SysWOW64\net.exe
net stop "mozyprobackup" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer100" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer100" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer110" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer110" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeES" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeIS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeMGMT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeMTA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeSA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeSRS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$BKUPEXEC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PRACTICEMGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLSERVER" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerADHelper100" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerOLAPService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
C:\Windows\SysWOW64\net.exe
net stop "MySQL80" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL80" /y
C:\Windows\SysWOW64\net.exe
net stop "MySQL57" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
C:\Windows\SysWOW64\net.exe
net stop "ntrtscan" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ntrtscan" /y
C:\Windows\SysWOW64\net.exe
net stop "OracleClientCache80" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
C:\Windows\SysWOW64\net.exe
net stop "PDVFSService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "PDVFSService" /y
C:\Windows\SysWOW64\net.exe
net stop "POP3Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "POP3Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "RESvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RESvc" /y
C:\Windows\SysWOW64\net.exe
net stop "sacsvr" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "sacsvr" /y
C:\Windows\SysWOW64\net.exe
net stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net stop "SAVAdminService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SAVAdminService" /y
C:\Windows\SysWOW64\net.exe
net stop "SAVService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SAVService" /y
C:\Windows\SysWOW64\net.exe
net stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net stop "SepMasterService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SepMasterService" /y
C:\Windows\SysWOW64\net.exe
net stop "ShMonitor" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ShMonitor" /y
C:\Windows\SysWOW64\net.exe
net stop "Smcinst" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Smcinst" /y
C:\Windows\SysWOW64\net.exe
net stop "SmcService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SmcService" /y
C:\Windows\SysWOW64\net.exe
net stop "SMTPSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SMTPSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "SNAC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SNAC" /y
C:\Windows\SysWOW64\net.exe
net stop "SntpService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SntpService" /y
C:\Windows\SysWOW64\net.exe
net stop "sophossps" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "sophossps" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$BKUPEXEC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PRACTTICEMGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLBrowser" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLSafeOLRService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLSERVERAGENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLTELEMETRY" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLTELEMETRY$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLWriter" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
C:\Windows\SysWOW64\net.exe
net stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "svcGenericHost" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "svcGenericHost" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_filter" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_filter" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_service" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_update_64" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_update_64" /y
C:\Windows\SysWOW64\net.exe
net stop "TmCCSF" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TmCCSF" /y
C:\Windows\SysWOW64\net.exe
net stop "tmlisten" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKey" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKey" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKeyScheduler" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKeyServiceHelper" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
C:\Windows\SysWOW64\net.exe
net stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamBackupSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamBrokerSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamCatalogSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamCloudSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamDeploymentService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamDeploySvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamEnterpriseManagerSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamMountSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamNFSSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamRESTSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamTransportSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "W3Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "W3Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net stop "WRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WRSVC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamHvIntegrationSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_update" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_update" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$CXDB" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$CITRIX_METAFRAME" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
C:\Windows\SysWOW64\net.exe
net stop "SQL Backups" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerADHelper" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "msftesql$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "msftesql$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net stop "EhttpSrv" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EhttpSrv" /y
C:\Windows\SysWOW64\net.exe
net stop "ekrn" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ekrn" /y
C:\Windows\SysWOW64\net.exe
net stop "ESHASRV" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ESHASRV" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SOPHOS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SOPHOS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
C:\Windows\SysWOW64\net.exe
net stop "AVP" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AVP" /y
C:\Windows\SysWOW64\net.exe
net stop "klnagent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "klnagent" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SQLEXPRESS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SQLEXPRESS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
C:\Windows\SysWOW64\net.exe
net stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net stop "kavfsslp" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "kavfsslp" /y
C:\Windows\SysWOW64\net.exe
net stop "KAVFSGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "KAVFSGT" /y
C:\Windows\SysWOW64\net.exe
net stop "KAVFS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "KAVFS" /y
C:\Windows\SysWOW64\net.exe
net stop "mfefire" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfefire" /y
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM zoolz.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM agntsvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM dbeng50.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM dbsnmp.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM encsvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM excel.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefoxconfig.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM infopath.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM isqlplussvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msaccess.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msftesql.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mspub.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mydesktopqos.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mydesktopservice.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld-nt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld-opt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocautoupds.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocomm.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocssd.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM onenote.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM oracle.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM outlook.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM powerpnt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqbcoreservice.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlagent.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlbrowser.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlservr.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlwriter.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM steam.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM synctime.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tbirdconfig.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thebat.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thebat64.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thunderbird.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM visio.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM winword.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM wordpad.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM xfssvccon.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tmlisten.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM PccNTMon.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM CNTAoSMgr.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Ntrtscan.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mbamtray.exe /T
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 460 -ip 460
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 348
Network
Files
F:\!!!READ_ME_MEDUSA!!!.txt
| MD5 | 90f8ae3147b5b19654d393f919ca6b4d |
| SHA1 | dc617ea786f31a4bf22612b73d22566c71cc9e9a |
| SHA256 | e66bb2216c78f98b47c3a709b9d81f7f614b1015dc451f45b94192d8ac4b1715 |
| SHA512 | 365cd5276b1970177b06b0afb8437f8decdebe3f8048bbe052490e6713aa51514ae40333103cd0a8ff5955f3a4004e789ccb948640ba2655c1f3d5ca76e8ce4d |
C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini
| MD5 | eab718121fa11f9280bacb09cef5360f |
| SHA1 | 769c5f2470fa346650080c14a61e7677fcedb3bf |
| SHA256 | bf9c5d70a9ce78daf1b2b79da39eed658b5cb07689fb7d74797605c28f3ed112 |
| SHA512 | 241a0f2f63990493b069be95a9b988054964d410700f65dc9f8d8e94f166e684eebe5b7e74f1208addb8de4151ead8daf2445095e221b41a96def001820deaa2 |
memory/9540-9248-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9250-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9249-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9257-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9260-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9259-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9258-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9256-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9255-0x0000028A63910000-0x0000028A63911000-memory.dmp
memory/9540-9254-0x0000028A63910000-0x0000028A63911000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | 76cfe5b2090a39bb53d2a32903a5bc90 |
| SHA1 | 0c088a004dcf8ac71642c9e38f9719ff4ce2d3d6 |
| SHA256 | 190267398b92d694ae038e125f1047127dbf4270f3796c4396b1dab664c187ed |
| SHA512 | d8c243ba51fe7f78b90289cc4418d790220ce30745eabd83ee80fbfc7aea366afd1e149b42ea122dd3817759d836cd1055fb8cfd126f69ec544e8e6b1b132ca5 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 431f2b3964706a6cf3fa873d10e8ed6c |
| SHA1 | 0d21a6286770af556ce63df0874369daf6a7942a |
| SHA256 | fe2739645f90e905bef9493fb8d3bc868679179aba1ff2fe3001ae6b3a737515 |
| SHA512 | 825670159433e6697b8dfd163488dd1a5b568794e15f29868e213625531da892d1209a2631c889830623c6339f995a7a40d25c97ee0f4f2c2be1d7d26db5810a |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | b1e1786e7afad21eaad3505b3b244290 |
| SHA1 | 881867d03bcd5434dbadd32bceff709d491f47f9 |
| SHA256 | a520bfaf699e29cfa78002d809a5a9a57a7055a7dede170127df62917903d852 |
| SHA512 | e51f13f9bc692b21323182af33805fbf917e080c329ee63a2f6f4a2aba9c4915a34a4fc2146d3ab5ceaadeaf2fc050cc68c9bc73703cec32bfdca45d57f1b6b5 |
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA
| MD5 | e6b05970faf5dac11edbd1c9044da28a |
| SHA1 | 4cdd699d44369a13b2367aba352a884802ab7ef0 |
| SHA256 | c863291610757bf6d8522a2402791c672c16c1a2224c3afae4d3ea2527caa3cb |
| SHA512 | 008440f5dff5c4d643d445248a820c8cba1f9af0edbc32da37c33e2a46edab46a1f25fbdbafa02fdfee33cbb73abddf2f532521bf0c3d948eef4236546b536ad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 16:44
Reported
2024-10-20 16:46
Platform
win11-20241007-en
Max time kernel
106s
Max time network
92s
Command Line
Signatures
Medusa Ransomware
Renames multiple (8663) files with added filename extension
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-4018527317-446799424-2810249686-1000\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4018527317-446799424-2810249686-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4018527317-446799424-2810249686-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Network Share Discovery
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardActions.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Spinner.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\[email protected] | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\WidevineCdm\_platform_specific\win_x64\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ArchiveToastQuickAction.scale-80.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\node_modules\tslib\tslib.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\spacing\DefaultSpacing.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\io.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_Package_Light.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-lightunplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Styling.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1 | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\Uninstall Information\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2021.427.1821.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\types\IFabricConfig.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Color.js | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\he.pak.DATA | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\policy\limited\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\!!!READ_ME_MEDUSA!!!.txt | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WeatherLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133739163199753239" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{6231B79B-760B-4D76-8AEC-903C2FEB7F1B} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c200603000400440010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000929292f7878787ff878787ff878787ff858585fe878787ff888888ff878787ff878787ff858585fe888888ff858585fe878787ff949494f60000000000000000777777ff555555ff486f48ff515c51ff555555ff555555ff555555ff555555ff555555ff555555ff545454ff555555ff545454ff777777ff0000000000000000696969ff454545ff45b645ff376837ff454545ff454545ff454545ff454545ff454545ff454545ff454545ff454545ff454545ff696969ff00000000000000005a5a5aff363636ff363636ff363636ff363636ff363636ff373737ff363636ff363636ff363636ff373737ff363636ff363636ff595959ff00000000000000006f6c6cb7959392ff959493ff959493ff959493ff959493ff959493ff959493ff959493ff959493ff959493ff959493ff959392ff6c6c6cb7000000000000000002020208a5a3a2bfe6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffd4d2cfffbfbdb9ffbbb9b6ffc6c4c0fb1111112c0000000000000000000000000202020cbab9b8d7e6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffe6e3e1ffdad7d4ffc7c6c1ffb8b8b3ffbbbbb7ffcdcdcbfeb6b6b3e303030310000000000000000000000000050505173938377f3938387f3938387f3938387f3938387fd0cec9fbd4d4cfffaaaaa5d67b7a729cc9c9c5f9c7c6c0ff28272667000000000000000000000000000000000000000000000000000000000000000000000000d4d1ccfae1d7defe8b89899d2c2c2a46c3c3bde5e0e0daff3232317b0000000000000000000000000000000000000000000000000000000000000000000000009d9698bbebe8e7ffe0e0daf5ccccc5e9e3ecdaffe0e0d8fe1817173c00000000000000000000000000000000000000000000000000000000000000000000000007070723c8c7c1e3e6e5ddfee9e9e1ffe2e2dafe555652870000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030303102b2a29673433327b1817173b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000ffff0000ffff0000800100008001000080010000800100008001000080010000c0000000e0000000ff800000ff800000ff810000ffc30000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000003000000040000002c000000010000000000000001000000000000000100000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{5E8ECD23-458E-4872-87A4-E311CF020804} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e8070a004c0062006800200075006e006900720020007300760079007200660020006a006e007600670076006100740020006700620020006f00720020006f0068006500610072007100200067006200200071007600660070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000000000000000000000000000000000000000000000000006c49169c0f23db01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000f9e3da1ab118db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727761486664525" | C:\Windows\explorer.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe
"C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe"
C:\Windows\SysWOW64\net.exe
net stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
C:\Windows\SysWOW64\net.exe
net stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Enterprise Client Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Agent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos AutoUpdate Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Clean Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Device Control Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos File Scanner Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Health Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Agent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos MCS Client" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Message Router" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Safestore Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos System Protection Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Sophos Web Control Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
C:\Windows\SysWOW64\net.exe
net stop "Symantec System Recovery" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery" /y
C:\Windows\SysWOW64\net.exe
net stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
C:\Windows\SysWOW64\net.exe
net stop "AcronisAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "AcrSch2Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AcrSch2Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "Antivirus" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Antivirus" /y
C:\Windows\SysWOW64\net.exe
net stop "ARSM" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ARSM" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecAgentAccelerator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecAgentBrowser" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentBrowser" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecDeviceMediaService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecJobEngine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecManagementService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecRPCService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService" /y
C:\Windows\SysWOW64\net.exe
net stop "BackupExecVSSProvider" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider" /y
C:\Windows\SysWOW64\net.exe
net stop "bedbg" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "bedbg" /y
C:\Windows\SysWOW64\net.exe
net stop "DCAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "DCAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "EPSecurityService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService" /y
C:\Windows\SysWOW64\net.exe
net stop "EPUpdateService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EPUpdateService" /y
C:\Windows\SysWOW64\net.exe
net stop "EraserSvc11710" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EraserSvc11710" /y
C:\Windows\SysWOW64\net.exe
net stop "EsgShKernel" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EsgShKernel" /y
C:\Windows\SysWOW64\net.exe
net stop "FA_Scheduler" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "FA_Scheduler" /y
C:\Windows\SysWOW64\net.exe
net stop "IISAdmin" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IISAdmin" /y
C:\Windows\SysWOW64\net.exe
net stop "IMAP4Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IMAP4Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "macmnsvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "macmnsvc" /y
C:\Windows\SysWOW64\net.exe
net stop "masvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "masvc" /y
C:\Windows\SysWOW64\net.exe
net stop "MBAMService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBAMService" /y
C:\Windows\SysWOW64\net.exe
net stop "MBEndpointAgent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeEngineService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeEngineService" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeFramework" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework" /y
C:\Windows\SysWOW64\net.exe
net stop "McAfeeFrameworkMcAfeeFramework" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework" /y
C:\Windows\SysWOW64\net.exe
net stop "McShield" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McShield" /y
C:\Windows\SysWOW64\net.exe
net stop "McTaskManager" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "McTaskManager" /y
C:\Windows\SysWOW64\net.exe
net stop "mfemms" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfemms" /y
C:\Windows\SysWOW64\net.exe
net stop "mfevtp" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfevtp" /y
C:\Windows\SysWOW64\net.exe
net stop "MMS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MMS" /y
C:\Windows\SysWOW64\net.exe
net stop "mozyprobackup" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer100" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer100" /y
C:\Windows\SysWOW64\net.exe
net stop "MsDtsServer110" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer110" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeES" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeIS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeMGMT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeMTA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeSA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSExchangeSRS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSOLAP$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$BKUPEXEC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PRACTICEMGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLFDLauncher$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLSERVER" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerADHelper100" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerOLAPService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService" /y
C:\Windows\SysWOW64\net.exe
net stop "MySQL80" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL80" /y
C:\Windows\SysWOW64\net.exe
net stop "MySQL57" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MySQL57" /y
C:\Windows\SysWOW64\net.exe
net stop "ntrtscan" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ntrtscan" /y
C:\Windows\SysWOW64\net.exe
net stop "OracleClientCache80" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80" /y
C:\Windows\SysWOW64\net.exe
net stop "PDVFSService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "PDVFSService" /y
C:\Windows\SysWOW64\net.exe
net stop "POP3Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "POP3Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "ReportServer$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "RESvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "RESvc" /y
C:\Windows\SysWOW64\net.exe
net stop "sacsvr" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "sacsvr" /y
C:\Windows\SysWOW64\net.exe
net stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net stop "SAVAdminService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SAVAdminService" /y
C:\Windows\SysWOW64\net.exe
net stop "SAVService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SAVService" /y
C:\Windows\SysWOW64\net.exe
net stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net stop "SepMasterService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SepMasterService" /y
C:\Windows\SysWOW64\net.exe
net stop "ShMonitor" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ShMonitor" /y
C:\Windows\SysWOW64\net.exe
net stop "Smcinst" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Smcinst" /y
C:\Windows\SysWOW64\net.exe
net stop "SmcService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SmcService" /y
C:\Windows\SysWOW64\net.exe
net stop "SMTPSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SMTPSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "SNAC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SNAC" /y
C:\Windows\SysWOW64\net.exe
net stop "SntpService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SntpService" /y
C:\Windows\SysWOW64\net.exe
net stop "sophossps" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "sophossps" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$BKUPEXEC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PRACTTICEMGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SBSMONITORING" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SHAREPOINT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SQL_2008" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$TPS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$TPSAMA" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLBrowser" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLSafeOLRService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLSERVERAGENT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLTELEMETRY" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLTELEMETRY$ECWDB2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLWriter" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLWriter" /y
C:\Windows\SysWOW64\net.exe
net stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "svcGenericHost" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "svcGenericHost" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_filter" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_filter" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_service" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_update_64" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_update_64" /y
C:\Windows\SysWOW64\net.exe
net stop "TmCCSF" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TmCCSF" /y
C:\Windows\SysWOW64\net.exe
net stop "tmlisten" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "tmlisten" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKey" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKey" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKeyScheduler" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKeyScheduler" /y
C:\Windows\SysWOW64\net.exe
net stop "TrueKeyServiceHelper" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TrueKeyServiceHelper" /y
C:\Windows\SysWOW64\net.exe
net stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamBackupSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamBrokerSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamBrokerSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamCatalogSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamCloudSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamDeploymentService" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploymentService" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamDeploySvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploySvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamEnterpriseManagerSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamMountSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamNFSSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamRESTSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamTransportSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "W3Svc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "W3Svc" /y
C:\Windows\SysWOW64\net.exe
net stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net stop "WRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WRSVC" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y
C:\Windows\SysWOW64\net.exe
net stop "VeeamHvIntegrationSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc" /y
C:\Windows\SysWOW64\net.exe
net stop "swi_update" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "swi_update" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$CXDB" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$CITRIX_METAFRAME" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME" /y
C:\Windows\SysWOW64\net.exe
net stop "SQL Backups" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQL Backups" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQLServerADHelper" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "msftesql$PROD" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "msftesql$PROD" /y
C:\Windows\SysWOW64\net.exe
net stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net stop "EhttpSrv" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "EhttpSrv" /y
C:\Windows\SysWOW64\net.exe
net stop "ekrn" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ekrn" /y
C:\Windows\SysWOW64\net.exe
net stop "ESHASRV" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "ESHASRV" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SOPHOS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SOPHOS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS" /y
C:\Windows\SysWOW64\net.exe
net stop "AVP" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "AVP" /y
C:\Windows\SysWOW64\net.exe
net stop "klnagent" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "klnagent" /y
C:\Windows\SysWOW64\net.exe
net stop "MSSQL$SQLEXPRESS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS" /y
C:\Windows\SysWOW64\net.exe
net stop "SQLAgent$SQLEXPRESS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS" /y
C:\Windows\SysWOW64\net.exe
net stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net stop "kavfsslp" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "kavfsslp" /y
C:\Windows\SysWOW64\net.exe
net stop "KAVFSGT" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "KAVFSGT" /y
C:\Windows\SysWOW64\net.exe
net stop "KAVFS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "KAVFS" /y
C:\Windows\SysWOW64\net.exe
net stop "mfefire" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mfefire" /y
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM zoolz.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM agntsvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM dbeng50.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM dbsnmp.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM encsvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM excel.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefoxconfig.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM infopath.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM isqlplussvc.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msaccess.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msftesql.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mspub.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mydesktopqos.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mydesktopservice.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld-nt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld-opt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocautoupds.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocomm.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ocssd.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM onenote.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM oracle.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM outlook.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM powerpnt.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqbcoreservice.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlagent.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlbrowser.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlservr.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlwriter.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4a33cc40,0x7ffc4a33cc4c,0x7ffc4a33cc58
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM steam.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM synctime.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3540,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:1
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tbirdconfig.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thebat.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thebat64.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM thunderbird.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM visio.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM winword.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM wordpad.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM xfssvccon.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tmlisten.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM PccNTMon.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM CNTAoSMgr.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Ntrtscan.exe /T
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mbamtray.exe /T
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4968,i,176127162513767007,13262933062372257845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:1
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\b091e38b4cdf341c2733c6e8c2199afd4ee05fc9f921a37c8e555198f1ec2e12.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3412 -ip 3412
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 324
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!!!READ_ME_MEDUSA!!!.txt
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_4536_SZSYOYLXSPIIISOA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
F:\!!!READ_ME_MEDUSA!!!.txt
| MD5 | 90f8ae3147b5b19654d393f919ca6b4d |
| SHA1 | dc617ea786f31a4bf22612b73d22566c71cc9e9a |
| SHA256 | e66bb2216c78f98b47c3a709b9d81f7f614b1015dc451f45b94192d8ac4b1715 |
| SHA512 | 365cd5276b1970177b06b0afb8437f8decdebe3f8048bbe052490e6713aa51514ae40333103cd0a8ff5955f3a4004e789ccb948640ba2655c1f3d5ca76e8ce4d |
C:\$Recycle.Bin\S-1-5-21-4018527317-446799424-2810249686-1000\desktop.ini
| MD5 | 8901be0e255183fd18bf52b198d7db7a |
| SHA1 | be645353bd3155cc155757e52094b74ae21dbf67 |
| SHA256 | 5c88f8852a9ff71de5123551589d5efd5a1ee6022d6c163817c2f62d4b8c00c9 |
| SHA512 | 2cdb705f7ff80a02d1caa4e06e7c3193a3e35281c0a5349781eba0da7da461d6cf0a7d9560e9de414950b410ac97d810da1ae7bf9d44daa98131a3fe80b5a119 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 43cdcc77fe04f3b214f135af7f2a60c8 |
| SHA1 | 417c13c238da9c33f2114ab425372cf674f41bbb |
| SHA256 | 05f148f6550efbc7d3fea0b134dc2253573242f603fdc8b086f5904466c525af |
| SHA512 | be7ae79f84f827ca5348869743b8041ba917f4e30110c161b89a697ebd77d313143d86f34473c1a038511554b18d78250ed545b6103ff9c95857085e7609cbfc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b5a97ed0-68ac-4afc-ad92-4bd114e2875c.tmp
| MD5 | f5fbb3861e59f3752705aac2e3987ad4 |
| SHA1 | 450fbfa7af5c53501c8485a872475d9c7f405b2a |
| SHA256 | c9f2715efc8cd574ba5e38e4bd5f51cec4c719142ed87107b0bf13b47f1dff10 |
| SHA512 | 8002035e41a4e7df094afb3a06070f51377d74546353f436664a54a1f131d5f59ad33713fc5e06f90c05ac05e6e2ea68953bf8d9026fa395f7d33dad44e10ad0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3af727ac9514732d42fbcf546c3d65a1 |
| SHA1 | 8884f299a986c3cde90e342403d841d5091f1a11 |
| SHA256 | c2ae40215587c67bb1f8d94aa2ee147d47afa48c6e3d996f2d012af7efce6e25 |
| SHA512 | a7db5ad3bfbd7f67db7c896f4bc65a63140cc0f295ca883fa2576d56593c8caf38dcfeeef18938fa603a81091ba7f82e655cea0c862fcbe9f329b59cdb549500 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 88e0ef49b122fb0073be8f7908b0d200 |
| SHA1 | 63cd6d0f1b1b1314feb1379a3863ae6db10c41d1 |
| SHA256 | b037584c6be43acf51fd3f6cd40f3467c63c3f5e440b3bf1ad0162a7cf79b14e |
| SHA512 | 18e78cd2b393f237cbefa5d943c6ed198951c732e70a45d48df09aed0e2c692651b28faa72b0bb62e64e9b7bea5447a1a015bf9d381468193a67ebb952033f89 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | b7443e89f0cb29d51ee6a257750e54d2 |
| SHA1 | 84127eebf275e781d5276af6fc4d09c5a6bfb7b9 |
| SHA256 | 8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26 |
| SHA512 | 446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
| MD5 | a3142b9a0c3bbc9fb8be43fd74061417 |
| SHA1 | 2736772c832268a2880cbe268dd44bafbd34688b |
| SHA256 | f23a23dc3b8f48c6729345fc8dab84673ef4ac1ea9c2535ba4b0cfcda7f68228 |
| SHA512 | 200aedcbab96aa0638a55c06790767021aa4116f5bbed44a718385ebbbb4def9dd047b8cb55850f482310d1aac06e3d304463aac743d58e905e5cd3e0a5906e0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | 01be0cb2a899f512f848c47ac4aa1d04 |
| SHA1 | be4bc1ae6048a3d36dbcf0cc45fb763c378b204c |
| SHA256 | f869e16d155a2b28fd13a7eb608b82b4e1b14913e652f220f8e995b9c7bcefc7 |
| SHA512 | bee2e121e07dcf82b4090d970ac5bdf1dcfb1e3e7c70b6560b82e7c892129d1c05aae065f617d2598541b6d04bb3ff5a4198634ff7ce757ff07d8f640c75fde4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | 0f97025b41f78bcd3db45c9a31f50757 |
| SHA1 | 56f123ee7a9421dd51ac91b3084fb5316e0c1efd |
| SHA256 | 608a39a11c1f6ccd2b9cbdb70807026cb29bf5dfe9e27db353e103c5323d0b6f |
| SHA512 | ec437f1538e4417377c26938108a15e41ca3770d8d9dcad83fd99ac55960db6f473ca19e4fafd01d6d1ea315b805a456baf3bbc6adb8ef8cfae227cfe5fbd293 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 8607365d19d72f6f049770e6ca4908f0 |
| SHA1 | d4e287154f47bcfb9d5fa4adfa7af699da65e79b |
| SHA256 | 4743c97b9229d2eb1c592e1571bf9e5ccebe97133ecd4f7353f5b0e56f2a76bd |
| SHA512 | d04b109ed793ea435c6f610cd92ca0baadce7e95767031c5583c259620baf85741c446978d851862da7de79134f0773b508ef47f12b0922874b1ebb3fddff715 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 677612c850b0dd0a49260a1049f695c0 |
| SHA1 | 192e293103ccd3e5eadaa1b8b35414fe30f31dcc |
| SHA256 | aa1753c180d087d3d0ad536d9f9857f4ca05eb5617441f55aa09874018c32981 |
| SHA512 | f259e26f828541d0b66eebbd14dc4ed1c9b10a948e9702cc402cba30dec729b3e493df862a509bcef69cfb6527ff05d92dd7035a9110aebcd01e92fa8271d20d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
| MD5 | a2b2c49d70f03480d9595e3cb87fc2f9 |
| SHA1 | 722777936c28aa1fcb29da73885c70968d23cbe4 |
| SHA256 | 93a1cfeda277e68077b903721127a077c1b45cfd9f08fb5ee08f71edbecb6282 |
| SHA512 | a3f54a9bd9d2e540cf80f88d1efa6f75ff317547b8f2d53fce7f0fbed50e10e3fdffce8f2b79eb517f19c60595b885dd610c5cd46e6722602e63855ae3af0377 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | 014ba9946456c306e227b24ed2819dbe |
| SHA1 | 1843689142d14cb8821c9aa7f30cf0a77bc685d7 |
| SHA256 | 5e453cfe898d8f4ad2dabd5c726c375a9cd918bf9b1162ce4067ede7cf17bb24 |
| SHA512 | d3012f4f1341daaa43cc4dd5004310bb7678a29b22a6ab654f60b284aba9b01de8fa64f5c292a13d5df31f47cecb3094154b30eb61735673fd5da5cb210fefc0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
| MD5 | 4b0c32d46911fb346bbb828aa91fb6dd |
| SHA1 | 070e33bf9737f458a8e7510e36420dc10daead70 |
| SHA256 | a48969123b6363e160d47dc8f62ae6e43c4220ab65dd506db925c26499e4a82e |
| SHA512 | 36be6ebfb684ba7f278b8237312e5bbc04eed5506ed5f61a2a27131d2f553fd87ca7f80aa3a501f0ae7b01a0b2a39d25377aef6e497c251caeb87004956ac935 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f2454f969e797d8682e76d19d7fa194c |
| SHA1 | 72c765b5522cf9f8f8eed789364e5b50ca71b706 |
| SHA256 | fe1777f29cb8b4650873eba43e69d526dc946a0ee097208baab44c5e91841ead |
| SHA512 | e4d9df32ed6267c66782d4c0458aedc4697dde6ace8a0680fa27fe58fdd06860ea96f38ffb13b4cc3c37116d0adcb05640d1b01c38c0b717988903098b1def41 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
| MD5 | 1f0dfcec7df4b5f526033f4fbb41a4c9 |
| SHA1 | 3aaf7e5e6022cafea7d57ca25a362bebe7a7874a |
| SHA256 | 6c226c614187a5f3be475488cddd40f9fe6a68617adb49b09690e723afe6db90 |
| SHA512 | 5af3419d803358e1f33752ad76cd2d87c3e60ec99d80fd59df6fda312332ca8d65b58c69d0cab483db98034fccb330b24bc7073354469b1dd4183fdae1bf5c3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
| MD5 | 4bc9737ef9d2f1877cf56643aee8f048 |
| SHA1 | 4399d7581b2dd335ea444af3106362f8ed6d577b |
| SHA256 | e4dfec7636372f0b4c250d37543f4522998ddf953185c0cc3fab7a58f47935a7 |
| SHA512 | c762bdd1bbbe2ed957cc8f959b5dc7ce5df96209cbf3a842a33840a39cde3b74c89d15b0c6c609ca10db6cb734977533844b3add765db7a30d006b1057ea69b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3
| MD5 | 4f46fa1a33883cfb08b2f79fd1a0a695 |
| SHA1 | cd01f8275712b9c09eb0d6147297e8e908157c87 |
| SHA256 | 063aaecb9aac521ce8fd2fa6160c47f96775998caae74b417ad6281318dec40c |
| SHA512 | fce6288acd55e5c0338d9a5618921a8ebb03b8b7cc34a7f2208055d71d4a671e9038aebd43a706223669766279e5b4094565819b2896771bb1207a9d1217cb6b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 25db797555dfc0185269ce8c94559fd8 |
| SHA1 | 8b481fedcc10c1511cac08f17e0ef0c44e56e85d |
| SHA256 | 5a997c6a635adcaf7b0fe9f1c4f9b760efbb5d5ad114d958e121eb8fb2751ce2 |
| SHA512 | 814e6b57aafdbd2d109967a12ec71d085868bd38e93d447f8a2c64be6efe072dae6f4afcb5922dcac79abcf49c8594810fa0b7e813ec4a4adf22c804a43494cc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | 7b25c218cb81e1d79467c1c6be3679ab |
| SHA1 | 49e08c1660eb6a360b39e837d44f89079c140e72 |
| SHA256 | cc66dfe0b0232984aad38dedab4f81b72f6409107ef07b5c904bfc2336af162a |
| SHA512 | c322f03260711bda09af775794f2d9f36fe951ac0af6393689f64d57f40118dddd4d11d9a76a1277bfdbc8b4f528c00b2550d9cc0ab25483c410bdb6455d9454 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 454baf735594cec686ea49b974abff9c |
| SHA1 | 46da638f7b5edfd3ca362beaa5a5620f34f2d9e1 |
| SHA256 | e3c9c98dd8ba1848db0441467892488cd49d8c7b5dc2eb1a4a23c7aac98b2123 |
| SHA512 | a83326f9734976440258493b4363cbcec9bee263b7be1b2f9ce6dfdd43f78d33694e4e3137b0e7f42edb42e065e71cccb8cb92cd1dc41044d413be41fbdf9268 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | 2fdc2ccf13756e2dfc43e6ae1a68983c |
| SHA1 | 8f513e84f32104a8ab11f27de0410bd79e3b13d1 |
| SHA256 | b248a9c007095dc38df2669b96d70d5ff375433d6cbbdc4a2a4afe10928ad68c |
| SHA512 | 268c0a60d557f046af77199546e0fee0aebf8cbe5717f42ae56e47497ec15df12909e561eb9eaa8fa95e738dbef53b402fd2628cb6142d96a83b50f0ea0e36f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0fb4d4ddadf12856c7c7a626b717e65d |
| SHA1 | 95672661145021dbcc5c6349aee607b2e0532063 |
| SHA256 | 0f045eb23be84cb165486535c8edc44de0ff625f306cbb628ce895b7c1f8f5d0 |
| SHA512 | 2b0f1209f4466f2a1cc964ab9c749763cd98ca53ec99c9c00858c33ca61a1391aeeedf3828c81acc596de38b7f5dfbebeca8124c7dd718d50cccb3551a4132de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG
| MD5 | 90c560d6f44d01dea89c4381738b1ce7 |
| SHA1 | bae2269499e2e4f0b02621d48c3d02da414ad743 |
| SHA256 | e118a8d232f29ef12008a5b4ddc6ff252938640ed36a4bbd9ea09f23bc6cd454 |
| SHA512 | 65609863e523fe432e167654eef51d65bc67d958da4aa4baf6e861ffb8e6dad1df985e9ca70ee30a28abfb6d4550625763f251d0d371159a20e97421204de049 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | a76c566912f8b885c900c9fd64f9e14c |
| SHA1 | 363e83a4fd9f12ee5af76fc3920d928972033a80 |
| SHA256 | 95b0e50feb5990f6353bf0611275ea8e891209e21147d0bd3fa8e143afe75584 |
| SHA512 | a3e00f328ac18e50b56be72ced371c4af4ef8a9ce20b5fb3b50e9cb0153c6308d3eef9c7ff5ea6ead50a6b62ecb6c7952736acae3154a1bb221330fae9b835a1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
| MD5 | a20d71905a4ba89c72eb8f2592d9d844 |
| SHA1 | 352df0fa17069b17aa80eaddb3cb6b4e60856fb8 |
| SHA256 | 0e09145a53e477df481253e9f5fc64b2798038e5414ca76a9d903375c016c849 |
| SHA512 | d32bcc23ed93fe5a4e1962add16da12631d22137949061bf5b6ee572754a84e4f1785fce21d3cdbb3986ffbc960b72b637d68c30b12403b78d3b7d721d79b286 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | ebed4ad4d203bdb0df412bd16ebabdca |
| SHA1 | 150f04696cfbd8e13443ee30116c5e3dbc29b304 |
| SHA256 | 84278a073c3176b48c39de6915de1e8aedeef71367cbfe4ec64c582e19782045 |
| SHA512 | f4d6ea92501a5a77dd590b654dca13236d4306e225c94f5fc5a5fba1cde3cb5ae7df0bb76154a8d85f53cb236267f96289fac90742d7464105d65462ddc378d7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 83c6b25b268a648d6545b800451ccf5f |
| SHA1 | 45cfd2e29505880d017dce908824d1801cb19b58 |
| SHA256 | 1e50706f50fa722ddd13b1dddc1655521d6f2e642325624a9f27a352efe30e8d |
| SHA512 | 28a7bbdb8641f9f876b1f80afc4da27a1a34f2a27526e53226d07df71468c1c1707d5ad30c6f8d17af018f0d5064c26f7c85dc0423051f24f6586f63ae608b33 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
| MD5 | d3ff87266315e1232eeef4dea9edb8b5 |
| SHA1 | 13e0394fdae86e2cc10c1a71a69f0af34e40d3c0 |
| SHA256 | 061778da5a01640a477cb1334bdde76a6dbf245799d905eca73c71f01163ceed |
| SHA512 | f47f9c0d220e1803f130e0ddb6b478a61fe438dcd58d7908373f38cdea8c78fb753c47339d81899bccc4e62c6209c514048901800bd45d7e251dd9918e24ecd8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
| MD5 | 2f4fb4e2f4949eab9a9bb5369f833cf4 |
| SHA1 | a943c737c29ce3e356846ef891a280e05b9507e4 |
| SHA256 | 42890f4c3e72ca8c742c80aec90d69f01653f0f76efaa21d72a21195ff8a634c |
| SHA512 | 17d8f466f8b3f610083f157ef453085fc0ee4df36f8785ce2f143a1fa3491f83fec5e82f7ad569431d4c778d647316fa5bb894cff79a1b3c5de6fe6e2ed652b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13373916319104297
| MD5 | 02c8cc28001880c202edf04e5a650863 |
| SHA1 | 16213350824ab9d3b9a905604209987f525352b0 |
| SHA256 | ae75a3e4df201506eb73767a8d9e7b7d9253e5afae7addf6d9377b3d2006e246 |
| SHA512 | 9ce2b207df897d0a31b226a03741a1de345111bea0124758a07b741ef692265ff3c1666558762902a772a6f51f1c9623d8eb13973fabea488ce128c9ae0b4867 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
| MD5 | cdc28bb642726a338c76f39f2a389f13 |
| SHA1 | 658bb82b8ab9b388884b37cdbbbf40ead52f6e96 |
| SHA256 | 49a0dae6c01020cc659a0b6c0beb0e14621cd83db27ddf00816778e3bce5fa1f |
| SHA512 | beb0a057a584186f5e330dd4faaa1e969005cb5a8417352208270a374ad6840de2df5389b1881a873c2113e046f7047e703291bd9e13ae4d07a66ecae97614ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
| MD5 | 97394e1ad7c2e8be595c9f29fb04deb0 |
| SHA1 | a3e0202a08bed0ec7af9cf6b21cb2ca680e470a9 |
| SHA256 | ac921f9826765d2e6e13a32bfe0858d81f9665916f247f4205846fc53e539914 |
| SHA512 | fddad3e85a85af5a0e7f3a0020ce1e74996658e4f501ad1ca019a5699a59ec4d6ce2ef179816cabada9f47dce610a9e5a051c62114094bb94c08a9521f5ee644 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
| MD5 | 97a87892b1d09baf7c0ecd0a666482d0 |
| SHA1 | d8d696b2eb4241eb2329b25ba1c7584480a7dece |
| SHA256 | 81ed9378a3085c224d422e9839d8832cb2b5e81aa35ef9e73180964547f347a6 |
| SHA512 | 450e79e70c20453ec0f81d962ba8dac6b1d596a4125c1430de41d30c20b4431e9c13e4936872720907ace317905e57df5adcc4ac84efef8d02927da7662bf263 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db
| MD5 | bd6656ab7a9a7df3a3379e7736b39269 |
| SHA1 | 3c44acc46638830a16bc7a5a054d97a8833da9cf |
| SHA256 | 73b68f4f9c8462577458613fea86cbc9d56de722a55d5f3b55e742d96fe02aab |
| SHA512 | 25251d5508fc294dfb54e2338555d38eae6886c722b71a77ea1cb1d6c0147ccbbdf7d5034a83f89831e95e9463a9ad826db930ba41e18e2a27a70ceaaca29538 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 49ff6387f38115fb4982bf04f6b2bf53 |
| SHA1 | 9bbdf8e369877a04d5be1b360722437deced879e |
| SHA256 | e97b0e181b39ed42e605f8f3b0d899fd145725577b99391d65a7250bed53fad8 |
| SHA512 | 7311ddd6c33093c033a3298260490bf5f70671965cdb22f9a5ac67abff372814df0b50d1765d6e4bd5aa7188ab1bdc458f2f9208023a6473e51b914de1c6ec6f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | c6fc0a64fe2ff9e8232692dd24f93c0a |
| SHA1 | 8b7f779814b599e3c8b3d7cc1da2fd461c8ac1b7 |
| SHA256 | 44d4c6f9714cd79b39dd4fd0f3d89c349b3ba6497bac57b4b29169ff96f64a87 |
| SHA512 | 13e09cf135e0183692d8be9dfd6be6c84dd7f6d4d1138ab61b5528b13a9b0f1afba0ee338cb9907f0a0290e9da2f1aa30880e0cb691d396ba130fdfa1c8515e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 74579b37ccc6a3fcd0b88d60c0910281 |
| SHA1 | 0d7b66a0b603829a463296391f112020090ad985 |
| SHA256 | 0fc16066733deeab25cfc105c4fe1b2fb70c3198ef0886e0c6f75a4de65c38e4 |
| SHA512 | ce91d35b721b239895d5cce1208f6b39a781ad72df8c505a2c831df72c435229f4f326ac63ffb2074056d98a79deda6b364b77fc8bda654228ada2fe36a49f39 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
| MD5 | 4f8b8f04184ff7f2b688e4df5a5e647e |
| SHA1 | f326286c8bc2c4b3482f223fdf859594541d7884 |
| SHA256 | f93413725d57984ef344d304de0b0c9f37c75471a9a0f98a8f4c64cf4040d45e |
| SHA512 | 6b616c41b08d0a7757b7cf57ce3e170f4af756d132b356157958f24df301fae97760445391136c0a433219e7bcc065026b56774c7685abfdea91bb75292ecf00 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3
| MD5 | dd5bd60f985b2a9e3592fb20f509877b |
| SHA1 | 22e77951a8a36984601dfcf43b00bc4dd64f7b50 |
| SHA256 | dde8ab0f6a254f59c157143dd75a0c9ecd2edcbf979144f1fa5fb7625d651d34 |
| SHA512 | dba9d295727cb8bfdbe982f3a09b11df8b84ecf5e075e53349d21c3582460a6394f13d5665e7ae2a03b7822c83ea02cf91414cea70dbfa7c34e657bf3accec1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
| MD5 | 48e7acd4187caa21de1b46a899cfb4e9 |
| SHA1 | 73e708c7152cbe3f6aff0b3dbd2ed1167db0de26 |
| SHA256 | 758ecc59c2ae72c450ba5adc3856e1527f09d99e0bb215dd8737eb64d9621d6e |
| SHA512 | 86b21973d84c1763c9bfbdc086a4ea222adb1e02f5b7069d169e0a10c30bab8de1ee27ce515dc70ef21d9cbeaef871d50792adba540c3afa5f2d94a36e56d941 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0
| MD5 | cd3d8172b6a80c0e8d1ec9bcd85e775e |
| SHA1 | 7406af862d32b4899a98b4a542f7248c7b223a48 |
| SHA256 | c97e4dd1b2e09a80738bf57141cc95a8e2b63f2ad5ef39b6b8f80eebb8f14061 |
| SHA512 | b8686e9c341adcdca3eb2375db927ecd228f4a4b65a79891053f72161b3d173b124e5b1dbe33e70d794e1ecf1ed9406d4124ff426c01f05e6e163deec1e20194 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1
| MD5 | f116b12a17eec15071283278c891cd14 |
| SHA1 | 5fd1d86813f1846a80c257e1635c3d4ad740401e |
| SHA256 | 398ab24c0099687473712d9729e05853c8629c4de7a7e4d9e852e8d6253dcba0 |
| SHA512 | 258688f478d7917566479587078dbc086beee7d1ca95842c34c72f665130d1a5f97bc68417dc3e61142e869bd0b199e847ab59f4bd076152973fe22e3f686cc4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager
| MD5 | c9ebec03386bbd610758d92d7b1f2995 |
| SHA1 | fb4a585560bdd487c0570f6f678b7119e16586e5 |
| SHA256 | f691016b776365c2383fd9efeeba78f56fe7b661bfddd9565b0b1c7ddd8eefea |
| SHA512 | 31e8f7ae57e7cb955f2101fff9d7ed700ca8c606a1b5759033059ac006ae42e7e02affd232d424533a24a2ce619b0624f4ae17984063eea2248cd26db6bc1bdc |
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.MEDUSA
| MD5 | 764e43a14bfceca0568ff465a77680f0 |
| SHA1 | 4fddec21e77c653cae4c2899de318217fe3ac587 |
| SHA256 | 4f9a04e32a97d116bb03874b0355c7a944feb0c5f50df348c142ef2408c719f4 |
| SHA512 | a6979330a23fb95af7bf8b6c0e620e6b8b0aad5c86e5cb4b19e6f73a8624138ed942c6cd4f3d5732e91658c31c5780dd3f61b9375a6b8787e69b03c0ae3b3b22 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 8eb2a6c50b7ba208c213f5ddb9ef05e5 |
| SHA1 | c0752d605e3e64db927718f552b68e6280f7a328 |
| SHA256 | f3087fc1f990e6f0590bce735dcd257b6645d22b0b38b33ea47701311316aae7 |
| SHA512 | 585c06ab7604253f61db09cc89b82c4571314815988d76facb49defca10f41a366af3a57d7fe0f808df8268c8cf9c771590f965c2534ae28835aa3666d1a2fed |
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.MEDUSA
| MD5 | fd7372ee7cab74817a4c6a87e3f80ab5 |
| SHA1 | 5cd7a0eb54ee7e7f1cd55b068c03c5bdd0ac7b01 |
| SHA256 | 69a02712d4f369a5abd5272bfefc56b9ca59db0d2946ff12693d3da16d0acc98 |
| SHA512 | 7bcb1aa424f8019619140a22138bbbd346c3723ea7062d8a8d037fc5275f450c153e6ffcd2eb50661655bb3af3e16a8744a6832df01c5796387e0c71aa472769 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 3ae2501239269174f06c5c53ec401dde |
| SHA1 | e974aece0666c9e42cd77b73232aaa2205c6cb74 |
| SHA256 | 3b2727401cf5f9cceddc5489a0fde7fa0f72cddea6e4e67a1dc2a6b3f4bafca4 |
| SHA512 | a9210ada30bc2755a4c8b5b4b3750733327f762ca3b999c23693c2539dce01120a6beaecd750dbabe6ce90fdb0b7b0506677dbcbc1fa5f6d9f7cd94c70ba3550 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
| MD5 | 419a089e66b9e18ada06c459b000cb4d |
| SHA1 | ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a |
| SHA256 | c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424 |
| SHA512 | bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
| MD5 | f07f6f449a1325c3b41422e742020db3 |
| SHA1 | 7c1855268b0f06296060077e2de20fa232e6bbc5 |
| SHA256 | cd9f078c2fb61b0835a3368a9c63a51f1dec5e0457b560e3702dc6b325356264 |
| SHA512 | 2ee02e2e04910190f5c28dc595e89668702279637d7a3ecc59373b2724ed178ac7770efc5a9c630ada14cd575c94f79a0d3bb14e9253784c79fbbbe51f6dc090 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | e342f339c251a79743ed175f3cb21856 |
| SHA1 | f6a07d6b153a80787f4c554012ae7cf9226bdb29 |
| SHA256 | ce54b9c530ea7c3baebbc23880879425c0337f59c7c2e9964659c52013b8c629 |
| SHA512 | 1ff48a5734ff18fe64ea2e3f0496694f5c08cd13b9291e60f4edf8ef1dfca3513f6d8cec9ebe3f2c71831f3aab9881ab4c05761dc5b353951899fca6f41260ad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.MEDUSA
| MD5 | 4c889d5b6848a13092a2bded6a4d08d9 |
| SHA1 | 86172cf32412827a6a44a5935b5411147257b6d0 |
| SHA256 | 59f416bb90440f27ab8fd4372166738947fc1631946fbf3bec6dd29abe06563f |
| SHA512 | 90733b58d01feccbcce8fd359e7342f3d23e8a73e24631a76f96aad3735ef46aca0c9e8d60f7274f2473908067b91aaa39737e7858a057b1268604e920b30a4c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.MEDUSA
| MD5 | eef1f1014ec2588095ad0bb2909cbaa8 |
| SHA1 | 6ca3d48c41a27793528dc788d69c0d8e729688a3 |
| SHA256 | 2516a18876103b7d15538bcc7703ddc4fa48ea05aeb925df66c2ca6ba31cd506 |
| SHA512 | da954d920de4b3cbd869ecf6f7c366972ebb8ed57eace378db370b2a2e6074ab78de6e31bee827f49fc0d41a85f751d31ecb1f150ec7fd94663ab2731ef7c0fd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
| MD5 | 40e0d1fc3428fdb927b536331b11c8c1 |
| SHA1 | 75973d5ec9af14e26c0a8aa534219fe463802538 |
| SHA256 | c28b71007bfac6b0c1df636f6fe27d1a830f421e77c40a32759d0ee89345d48c |
| SHA512 | 5b2c21605e756a9bb9da2c8e96169eadf260665ffe19c1ece4acda4e8cc48eaecdbd407d31d7c1e77bd6fe421e6fe563481ce4f525f76910088e117882fadc06 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
| MD5 | 9fb7b6baa11d193cf6d712b0cdaa96d1 |
| SHA1 | 10a446c66e3e79aae38f3fc5b9d3130bae34f8d0 |
| SHA256 | ca41557d3f54a78eaa73bf898b2c47a665ed284a9f8182ac956ee1814991baa7 |
| SHA512 | 2c5685c202f7212864e188590501df79ae8dfbbf40e589943d68daf7f3c4f5b4a649487fcb77048b21e237c4c07044b9188909491e25bbf14d2887c493fa0b5c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 9775428159d43fc0e6ab2b10dc31974a |
| SHA1 | 7090e42dff6cbe57bacb2c949dc893e7a4f73ad2 |
| SHA256 | e0f23717c91eb4ab07e7c22ed470ec9b445872e9ee2d33c513c46cf302e19894 |
| SHA512 | 9ead7852f5a90e63f67d047006890540647b7b9d67e3c5fe642ac775df8d933d7fa862590eb73fc7b1afbea2d28433cf6bf03567220a47267ec9c3b83b56a3f5 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
| MD5 | 0b5a563ebc6e5ec04d6656e3f334819e |
| SHA1 | b6c058e321f2534144672edaef733625c8c6d907 |
| SHA256 | fb81bc7518dd5464c2c3a895e596b36ed07dff9a04a3e4a33c736bba5762878e |
| SHA512 | 26e04c3aaf5023c61af292449f1469a094ee64628523ff9f610dfd04eed16e8e998ac5798a5bbb84d85d2b187e93ab1cfbcaa74e8566b968423be75c1f32f83c |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133739163756265741.txt
| MD5 | 5f1c60979b9db82664cbe9e511bbd1df |
| SHA1 | d9906662b4b3d255c59d3d7688eaa552dd9eb552 |
| SHA256 | 1d57c365cd1ee9147654f78faa239f7e786a8a49b17794ad04c90a7d7178c900 |
| SHA512 | 0d9c4e1dfde8383167994cf8d1a5162f17215ebe476f5d1d09d1da07a9395c056fcc369b7e6b00d65f817e52ca3c3c3c853783e39f39ff9f1cbe1fb27ead18a5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | d32bfa3da5523b4df56ed47d09c3b0b2 |
| SHA1 | 48bdab4f0161ec4d1e8bdeb27cd89507d1a7319c |
| SHA256 | 4ce984f3740ff51ccecce989c1c5f74a2ac12075bad380658d76c25de22e7cbf |
| SHA512 | 7e2afdcedba82efe3d2022a383572edef7287e333a5bbd88b774aa6b31840b181d546810ebba9a974c8a9f0e5bf3970a1baa0b878e6b8165d4aef3dea10a30e8 |
memory/6896-28587-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28588-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28589-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28599-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28598-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28597-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28596-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28595-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28594-0x00000166DF530000-0x00000166DF531000-memory.dmp
memory/6896-28593-0x00000166DF530000-0x00000166DF531000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 299ab5fc77f4e23b4ffecfcf4e3c19b0 |
| SHA1 | e5ceb5657645a8d523367f407f85aaa20d120076 |
| SHA256 | d1b6297e7da1b6af0573f9856e580fe45c0a6224508f152a495eb71ef0986bed |
| SHA512 | ea152c4f4b804e29aeb2a408821cda6b42abf3f2890144e206d2eaa7eeabd998fd7978d5e4abbf91e5a42174a2e056e830e02fea234769893995b38512a55c28 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db.MEDUSA
| MD5 | 5c1e6d7662af5963f338adb3187c5916 |
| SHA1 | 4555af0a587e6d1179f36a8e644f17c4062f02c0 |
| SHA256 | 77924d59539d8dd4484a19ab1f7018c960645a27296f506855ca9d536fb455f9 |
| SHA512 | a687e3ca85c68fb57f25004cfc8bc90564828a66bdbe9504f876ae44d49d44edad876190f20d578631cf9e5703962496f3b14f5729141a0e2a8df4c5b6d49a3a |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133739163874041972.txt
| MD5 | 6dddcd4f1278c9edc8cbf3b7878e0466 |
| SHA1 | e735c72a89c697978d4023db020ddb6699e25d73 |
| SHA256 | 5b79c3f52b470e814b8ba8afaeafe6244773d23064a73c2b68b3804b123b1cc5 |
| SHA512 | bb266598adc58e0faae381eed2f3019b9f1341cc4c866274c0118ec055e0405645ff3ef36be3767606d8323cb49f0aa34b0c22c3f4ef565d308eaa017e581241 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | e0fd7e6b4853592ac9ac73df9d83783f |
| SHA1 | 2834e77dfa1269ddad948b87d88887e84179594a |
| SHA256 | feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122 |
| SHA512 | 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55 |
F:\$RECYCLE.BIN\S-1-5-21-4018527317-446799424-2810249686-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
| MD5 | 2257fa8cef64a74c33655bd5f74ef5e5 |
| SHA1 | b9f8baf96166f99cb1983563e632e6e69984ad5c |
| SHA256 | ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3 |
| SHA512 | 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9 |