Loading ...

Play interactive tourEdit tour

Analysis Report f6ifQ0POml

Overview

General Information

Sample Name:f6ifQ0POml (renamed file extension from none to exe)
Analysis ID:377327
MD5:82143033173cbeee7f559002fb8ab8c5
SHA1:e03aedb8b9770f899a29f1939636db43825e95cf
SHA256:4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4
Infos:

Most interesting Screenshot:

Detection

MedusaLocker
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MedusaLocker Ransomware
Contains functionality to modify Windows User Account Control (UAC) settings
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Spreads via windows shares (copies files to share folders)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • f6ifQ0POml.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\f6ifQ0POml.exe' MD5: 82143033173CBEEE7F559002FB8AB8C5)
    • vssadmin.exe (PID: 1316 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 4112 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 6736 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6592 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 6956 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6972 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svhost.exe (PID: 6864 cmdline: C:\Users\user\AppData\Roaming\svhost.exe MD5: 82143033173CBEEE7F559002FB8AB8C5)
  • svhost.exe (PID: 7004 cmdline: C:\Users\user\AppData\Roaming\svhost.exe MD5: 82143033173CBEEE7F559002FB8AB8C5)
  • svhost.exe (PID: 1740 cmdline: C:\Users\user\AppData\Roaming\svhost.exe MD5: 82143033173CBEEE7F559002FB8AB8C5)
  • cleanup

Malware Configuration

Threatname: MedusaLocker

{"URL": "http://gvlay6u4g53rxdi5.onion/", "RSA key": "BgIAAACkAABSU0ExAAgAAAEAAQBtv9E5cdLPoTK8PwG0VTbxxURbhYM00jmY1b22v+Nwoe6+Vi6zHYcP5JmmueP4FBZBwANscT6dGxHpP4f4l9L9b/VLT6npX7+821EksPXaUJ8piYp8TCQPKRLJt6v7foVnI7jRW//K0wX9YmF7JWbBQROHPQTX7g3CQqZM7xGT4PfMa8g7+UBbstiEThpJo8PE1pgHfZrUFyiMwAv1hoXvaWVeAHKGOvoV+pKZ6Qi2fBCyJFmfL3hChhDWzIjp5oWd3l/RuSgET1sNAV8lkQPpf80OwlxFls5C8OnoG2d7eZJXDhcelK6K67Pp1Y6nC/B5mGpMhERMGnzSg9JKcrOn\n"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
f6ifQ0POml.exeJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svhost.exeJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000014.00000002.767781620.0000000000B15000.00000002.00020000.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
        00000001.00000000.640333058.0000000000B15000.00000002.00020000.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
          00000014.00000000.766983442.0000000000B15000.00000002.00020000.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
            00000001.00000002.642220287.0000000000B15000.00000002.00020000.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
              00000000.00000003.638943647.000000000071B000.00000004.00000001.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                26.2.svhost.exe.aa0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                  1.0.svhost.exe.aa0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                    20.0.svhost.exe.aa0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                      1.2.svhost.exe.aa0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                        26.0.svhost.exe.aa0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                          Click to see the 2 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: f6ifQ0POml.exeAvira: detected
                          Found malware configurationShow sources
                          Source: svhost.exe.1740.26.memstrMalware Configuration Extractor: MedusaLocker {"URL": "http://gvlay6u4g53rxdi5.onion/", "RSA key": "BgIAAACkAABSU0ExAAgAAAEAAQBtv9E5cdLPoTK8PwG0VTbxxURbhYM00jmY1b22v+Nwoe6+Vi6zHYcP5JmmueP4FBZBwANscT6dGxHpP4f4l9L9b/VLT6npX7+821EksPXaUJ8piYp8TCQPKRLJt6v7foVnI7jRW//K0wX9YmF7JWbBQROHPQTX7g3CQqZM7xGT4PfMa8g7+UBbstiEThpJo8PE1pgHfZrUFyiMwAv1hoXvaWVeAHKGOvoV+pKZ6Qi2fBCyJFmfL3hChhDWzIjp5oWd3l/RuSgET1sNAV8lkQPpf80OwlxFls5C8OnoG2d7eZJXDhcelK6K67Pp1Y6nC/B5mGpMhERMGnzSg9JKcrOn\n"}
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\svhost.exeMetadefender: Detection: 65%Perma Link
                          Source: C:\Users\user\AppData\Roaming\svhost.exeReversingLabs: Detection: 100%
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: f6ifQ0POml.exeVirustotal: Detection: 83%Perma Link
                          Source: f6ifQ0POml.exeMetadefender: Detection: 65%Perma Link
                          Source: f6ifQ0POml.exeReversingLabs: Detection: 100%
                          Machine Learning detection for sampleShow sources
                          Source: f6ifQ0POml.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB60D0 CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,1_2_00AB60D0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB61C0 std::ios_base::good,CryptDuplicateKey,GetFileAttributesW,SetFileAttributesW,CreateFileW,CloseHandle,MoveFileExW,CloseHandle,CryptDestroyKey,1_2_00AB61C0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB67E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,1_2_00AB67E0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB68D0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,1_2_00AB68D0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6860 CryptAcquireContextW,GetLastError,CryptAcquireContextW,1_2_00AB6860
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6BB0 CryptGenKey,1_2_00AB6BB0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6BF0 CryptDestroyKey,1_2_00AB6BF0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6CC0 CryptEncrypt,1_2_00AB6CC0
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6C10 CryptEncrypt,1_2_00AB6C10
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6C70 CryptExportKey,1_2_00AB6C70
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AB6D30 CryptExportKey,1_2_00AB6D30

                          Privilege Escalation:

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)Show sources
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AC18D0 CoInitialize,CLSIDFromString,IIDFromString,CoGetObject,CoUninitialize,1_2_00AC18D0
                          Source: f6ifQ0POml.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: f6ifQ0POml.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                          Spreading:

                          barindex
                          Spreads via windows shares (copies files to share folders)Show sources
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: Z:\$RECYCLE.BINJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: Z:\Recovery\WindowsRE\Recovery_Instructions.htmlJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: z:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: x:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: v:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: t:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: r:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: p:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: n:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: l:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: j:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: h:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: f:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: b:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: y:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: w:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: u:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: s:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: q:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: o:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: m:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: k:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: i:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: g:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: e:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: c:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile opened: a:Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00B0E180 FindFirstFileExW,_free,1_2_00B0E180
                          Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00AC7842 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,1_2_00AC7842

                          Networking:

                          barindex
                          Found Tor onion addressShow sources
                          Source: f6ifQ0POml.exe, 00000000.00000000.638582478.0000000000F86000.00000002.00020000.sdmpString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: f6ifQ0POml.exe, 00000000.00000000.638582478.0000000000F86000.00000002.00020000.sdmpString found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter
                          Source: svhost.exeString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: svhost.exe, 00000001.00000002.642372735.0000000000B36000.00000002.00020000.sdmpString found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter
                          Source: svhost.exe, 00000014.00000002.767816684.0000000000B36000.00000002.00020000.sdmpString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: svhost.exe, 00000014.00000002.767816684.0000000000B36000.00000002.00020000.sdmpString found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter
                          Source: svhost.exe, 00000014.00000002.768636909.00000000011F7000.00000004.00000020.sdmpString found in binary or memory: http://gvlay6u4g53rxdi5.onion/21-
                          Source: svhost.exe, 0000001A.00000002.901483213.0000000000B36000.00000002.00020000.sdmpString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: svhost.exe, 0000001A.00000002.901483213.0000000000B36000.00000002.00020000.sdmpString found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter
                          Source: f6ifQ0POml.exeString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: f6ifQ0POml.exeString found in binary or memory: ProgramData\Application DataIGN_NOTE_CODE2WINDIRSYSTEMDRIVE\Users\All UsersIGN_NOTE_CODE3\Program FilesSYSTEMDRIVE\WindowsIGN_NOTE_CODE4<br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                          Source: f6ifQ0POml.exe, 00000000.00000003.700397993.0000000004922000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
                          Source: f6ifQ0POml.exe, 00000000.00000003.700397993.0000000004922000.00000004.00000001.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
                          Source: f6ifQ0POml.exeString found in binary or memory: http://gvlay6u4g53rxdi5.onion/
                          Source: svhost.exe, 00000014.00000002.768636909.00000000011F7000.00000004.00000020.sdmpString found in binary or memory: http://gvlay6u4g53rxdi5.onion/21-
                          Source: Recovery_Instructions.html28.0.drString found in binary or memory: http://gvlay6u4g53rxdi5.onion/21-04BymBUjhm2UYsdPZC8XC25a96k28AR0-OcR1TeBYZH2ghwRnMUFReuoTWOG46gMk
                          Source: f6ifQ0POml.exeString found in binary or memory: https://www.torproject.org
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                          Source: svhost.exe, 00000001.00000002.643151848.0000000000F9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                          Spam, unwanted Advertisements and Ransom Demands:

                          barindex
                          Found ransom note / readmeShow sources
                          Source: C:\Recovery\WindowsRE\Recovery_Instructions.htmlDropped file: <html> <style type="text/css"> body { background-color: #f5f5f5; }h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal;}/*---*/.tabs1{ display: block; margin: auto;}.tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px;}.tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF;}.tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; }.tabs .content .text{padding: 25px;line-height: 1.2;} </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">6DD127CDFA8605D67E23DCC6BFE3BB9D651E875FCA74C36472A7940EC3AA5BD734A743CCF38DA8695EE759EE828F972FD6DA576FB2A44EA9D7507D1A59691543<br>4085B20033721083277693F3DAE16ED704EC1AEEDDEE90296DC73D7EA1B9FF3D096823644596F2DC0F258EC9C971F744CBA60577FB1319EAF15879A6CC5E<br>41653C3FED6B4955ED012734FB873F0026FA5730E9BE2EAB4A72C686EF31508BD5D876398E7AC82F0C97E3EE2FB131499C1C84D98DFC9AF81E87938A9EC5<br>7B4F4BDDB7A6A2222D86E5E13B34442497F6D4274482601E8CC1130AA87D750777F1681E1880A0136B1B45DCCD86FC45B723994ABEA138EF05BE1B5732ED<br>23CFEAFDE825E24828C8E37DF9C631DBE18340485ACFBCDE864F24FE49EF0AA4366F7D5DFDE0BB3EB1DC10DD4FD9FEFF80F78EBAE6F4D3D341EB4C0DB759<br>813CB897C9CDE1CDBEDAB9E2ED412532BA0BAD0B3D43017971C25760D848DFCC58A1C2A556B58AF80CC11DB3A8AB7C3F024B1AEA92A33F59485A9C4B2027<br>35D32C9D7A2DD67504C1103036450B054C5AC0070711C3FBA83DDBE1F2732B7D08ABB00E8E68C5EDE6C7A246E1ACBB731DE097D822BCC473F5AFB441C016<br>55854F83F8B93A9886C84B75BC0669E68A62F46E83F54362B56BE7A315E8B31CD243B073ABCC6D8A2EBF10662E5E1F3590CDF1166917E5436DF44AE14E8B<br>9E6EC30ADBEAD5EBDA41DFA51E34</span> <br><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>WILL PERMENANTLY DESTROY YOUR FILE.<br>DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br>NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br>SOLUTION TO YOUR PROBLEM.<br><br>WE GATHERED Jump to dropped file
                          Yara detected MedusaLocker RansomwareShow sources
                          Source: Yara matchFile source: f6ifQ0POml.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000014.00000002.767781620.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.640333058.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000014.00000000.766983442.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.642220287.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.638943647.000000000071B000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000000.900797330.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.638560363.0000000000F65000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.901407926.0000000000B15000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 1740, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: f6ifQ0POml.exe PID: 6836, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 7004, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 6864, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPED
                          Source: Yara matchFile source: 26.2.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.0.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.0.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 1.2.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.0.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.f6ifQ0POml.exe.ef0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 20.2.svhost.exe.aa0000.0.unpack, type: UNPACKEDPE
                          Deletes shadow drive data (may be related to ransomware)Show sources
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                          Source: f6ifQ0POml.exe, 00000000.00000000.638560363.0000000000F65000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No[LOCKER] Lock drive bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          Source: svhost.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                          Source: svhost.exe, 00000001.00000000.640333058.0000000000B15000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No[LOCKER] Lock drive bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          Source: vssadmin.exe, 00000003.00000002.655359160.0000000002990000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default~
                          Source: vssadmin.exe, 00000003.00000002.654817507.00000000007DC000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00001316- TID: 00002188- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                          Source: vssadmin.exe, 00000003.00000002.654817507.00000000007DC000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00001316- TID: 00002188- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                          Source: vssadmin.exe, 00000003.00000002.655508522.0000000002F40000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet;b
                          Source: vssadmin.exe, 00000003.00000002.655389108.00000000029E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                          Source: vssadmin.exe, 00000003.00000002.655389108.00000000029E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                          Source: vssadmin.exe, 00000003.00000002.655389108.00000000029E0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                          Source: vssadmin.exe, 00000003.00000002.655389108.00000000029E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                          Source: vssadmin.exe, 00000003.00000002.655389108.00000000029E0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                          Source: vssadmin.exe, 00000008.00000002.662045934.0000000002BD0000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet{
                          Source: vssadmin.exe, 00000008.00000002.661990562.0000000002A72000.00000004.00000020.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006736- TID: 00004780- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                          Source: vssadmin.exe, 00000008.00000002.661045686.00000000005EC000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006736- TID: 00004780- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                          Source: vssadmin.exe, 00000008.00000002.661505979.00000000028C0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                          Source: vssadmin.exe, 0000000C.00000002.668288962.000000000073C000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006956- TID: 00007140- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                          Source: vssadmin.exe, 0000000C.00000002.668288962.000000000073C000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006956- TID: 00007140- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                          Source: vssadmin.exe, 0000000C.00000002.670615012.0000000002DA0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=WSHEJMDUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows+
                          Source: vssadmin.exe, 0000000C.00000002.670615012.0000000002DA0000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                          Source: vssadmin.exe, 0000000C.00000002.670615012.0000000002DA0000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quietc
                          Source: vssadmin.exe, 0000000C.00000002.670442315.0000000002C50000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                          Source: vssadmin.exe, 0000000C.00000002.670442315.0000000002C50000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                          Source: vssadmin.exe, 0000000C.00000002.670442315.0000000002C50000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                          Source: vssadmin.exe, 0000000C.00000002.670442315.0000000002C50000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                          Source: vssadmin.exe, 0000000C.00000002.670442315.0000000002C50000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                          Source: vssadmin.exe, 0000000C.00000002.668360332.00000000007C0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                          Source: vssadmin.exe, 0000000C.00000002.668312110.00000000007B0000.00000004.00000040.sdmpBinary or memory string: {vssadmin.exeDeleteShadows/All/QuietI%
                          Source: svhost.exe, 00000014.00000002.767781620.0000000000B15000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No[LOCKER] Lock drive bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          Source: svhost.exe, 0000001A.00000000.900797330.0000000000B15000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No[LOCKER] Lock drive bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          Source: f6ifQ0POml.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No[LOCKER] Lock drive bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          Writes many files with high entropyShow sources
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.99993398296Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui entropy: 7.99777887488Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui entropy: 7.99755155608Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99998850055Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efi entropy: 7.99985141476Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edb.chk entropy: 7.99283545042Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\bootmgr.efi entropy: 7.99983695496Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db entropy: 7.99988711477Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui entropy: 7.99799861336Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui entropy: 7.9975934358Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui entropy: 7.99575586991Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat entropy: 7.99988316856Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui entropy: 7.99805144443Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui entropy: 7.99768556161Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui entropy: 7.99599806557Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui entropy: 7.99790649838Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui entropy: 7.99746519941Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui entropy: 7.99652449153Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui entropy: 7.99741618851Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui entropy: 7.9978100613Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui entropy: 7.99641941408Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\en-GB\bootmgfw.efi.mui entropy: 7.99769154964Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\en-GB\bootmgr.efi.mui entropy: 7.99780086352Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\en-US\bootmgfw.efi.mui entropy: 7.99761157945Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\en-US\bootmgr.efi.mui entropy: 7.99764539929Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\en-US\memtest.efi.mui entropy: 7.99603664214Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\es-ES\bootmgfw.efi.mui entropy: 7.99786961177Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\es-ES\bootmgr.efi.mui entropy: 7.9978527838Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\es-ES\memtest.efi.mui entropy: 7.99684864275Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\es-MX\bootmgfw.efi.mui entropy: 7.99770061879Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\es-MX\bootmgr.efi.mui entropy: 7.99773412622Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\et-EE\bootmgfw.efi.mui entropy: 7.9977131426Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\et-EE\bootmgr.efi.mui entropy: 7.99750628739Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\bootmgfw.efi.mui entropy: 7.99772330718Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\bootmgr.efi.mui entropy: 7.99756661879Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\memtest.efi.mui entropy: 7.99621556427Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fr-CA\bootmgfw.efi.mui entropy: 7.99781542733Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fr-CA\bootmgr.efi.mui entropy: 7.99756611877Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\bootmgfw.efi.mui entropy: 7.99750963201Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\bootmgr.efi.mui entropy: 7.99788128902Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\memtest.efi.mui entropy: 7.99643281427Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl entropy: 7.99573948618Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\hr-HR\bootmgfw.efi.mui entropy: 7.99783388738Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\hr-HR\bootmgr.efi.mui entropy: 7.99795185678Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\bootmgfw.efi.mui entropy: 7.99730327412Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\bootmgr.efi.mui entropy: 7.99766977988Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\memtest.efi.mui entropy: 7.9961429988Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\it-IT\bootmgfw.efi.mui entropy: 7.9975320606Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\it-IT\bootmgr.efi.mui entropy: 7.99788657853Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs entropy: 7.9998615952Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\it-IT\memtest.efi.mui entropy: 7.99583412945Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\bootmgfw.efi.mui entropy: 7.99799834095Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs entropy: 7.9998615952Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\bootmgr.efi.mui entropy: 7.9973644336Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\memtest.efi.mui entropy: 7.99588638126Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\bootmgfw.efi.mui entropy: 7.99735256224Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\bootmgr.efi.mui entropy: 7.99743542977Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\memtest.efi.mui entropy: 7.99573981074Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\lt-LT\bootmgfw.efi.mui entropy: 7.99781420385Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx entropy: 7.99981138481Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\lt-LT\bootmgr.efi.mui entropy: 7.99762048189Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\lv-LV\bootmgfw.efi.mui entropy: 7.99798366958Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx entropy: 7.99984009993Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\lv-LV\bootmgr.efi.mui entropy: 7.99764805371Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\memtest.efi entropy: 7.9998141054Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs entropy: 7.99728865891Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\bootmgfw.efi.mui entropy: 7.99772549827Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs entropy: 7.99728865891Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\bootmgr.efi.mui entropy: 7.99765505615Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db entropy: 7.99897547936Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\memtest.efi.mui entropy: 7.99628443815Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\nl-NL\bootmgfw.efi.mui entropy: 7.99787359498Jump to dropped file
                          Source: C:\Users\user\Desktop\f6ifQ0POml.exeFile created: C:\EFI\Microsoft\Boot\nl-NL\bootmgr.efi.mui entropy: 7.99765