Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240319-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
-
Size
1.2MB
-
MD5
1fa1b6d4b3ed867c1d4baffc77417611
-
SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da
-
SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
-
SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
SSDEEP
24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\gui\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Public\Videos\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Chess\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\More Games\es-ES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Solitaire\it-IT\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Microsoft\Media Player\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\management\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Mozilla Firefox\uninstall\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Mozilla Firefox\fonts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\3082\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Public\Downloads\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Public\Recorded TV\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Purble Place\en-US\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\settings\main\ms-language-packs\browser\newtab\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3564 bcdedit.exe 3560 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2336 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS nPcROQkf64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" nPcROQkf64.exe -
Executes dropped EXE 3 IoCs
pid Process 3036 NW9Vuh6B.exe 3836 nPcROQkf.exe 3980 nPcROQkf64.exe -
Loads dropped DLL 4 IoCs
pid Process 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 3112 cmd.exe 3836 nPcROQkf.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2600 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral9/files/0x0006000000016d36-2558.dat upx behavioral9/memory/3836-2561-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral9/memory/3836-7381-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 43 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2Y0HPGOE\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AS4I30IR\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\N: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\P: nPcROQkf64.exe File opened (read-only) \??\V: nPcROQkf64.exe File opened (read-only) \??\W: nPcROQkf64.exe File opened (read-only) \??\Z: nPcROQkf64.exe File opened (read-only) \??\Z: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\Q: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\B: nPcROQkf64.exe File opened (read-only) \??\M: nPcROQkf64.exe File opened (read-only) \??\Y: nPcROQkf64.exe File opened (read-only) \??\L: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\L: nPcROQkf64.exe File opened (read-only) \??\R: nPcROQkf64.exe File opened (read-only) \??\U: nPcROQkf64.exe File opened (read-only) \??\Y: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\R: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\P: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\A: nPcROQkf64.exe File opened (read-only) \??\O: nPcROQkf64.exe File opened (read-only) \??\W: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\J: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\G: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\E: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: nPcROQkf64.exe File opened (read-only) \??\J: nPcROQkf64.exe File opened (read-only) \??\S: nPcROQkf64.exe File opened (read-only) \??\T: nPcROQkf64.exe File opened (read-only) \??\V: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\T: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\O: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\K: nPcROQkf64.exe File opened (read-only) \??\Q: nPcROQkf64.exe File opened (read-only) \??\K: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\N: nPcROQkf64.exe File opened (read-only) \??\X: nPcROQkf64.exe File opened (read-only) \??\X: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\M: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\E: nPcROQkf64.exe File opened (read-only) \??\G: nPcROQkf64.exe File opened (read-only) \??\I: nPcROQkf64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\acDG4t2B.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\St_Johns 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299763.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.InfoPath.FormControl.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151047.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pl.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boise 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-CN.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_de.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5496 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4644 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2336 powershell.exe 3980 nPcROQkf64.exe 3980 nPcROQkf64.exe 3980 nPcROQkf64.exe 3980 nPcROQkf64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3980 nPcROQkf64.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 3980 nPcROQkf64.exe Token: SeLoadDriverPrivilege 3980 nPcROQkf64.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeIncreaseQuotaPrivilege 3720 WMIC.exe Token: SeSecurityPrivilege 3720 WMIC.exe Token: SeTakeOwnershipPrivilege 3720 WMIC.exe Token: SeLoadDriverPrivilege 3720 WMIC.exe Token: SeSystemProfilePrivilege 3720 WMIC.exe Token: SeSystemtimePrivilege 3720 WMIC.exe Token: SeProfSingleProcessPrivilege 3720 WMIC.exe Token: SeIncBasePriorityPrivilege 3720 WMIC.exe Token: SeCreatePagefilePrivilege 3720 WMIC.exe Token: SeBackupPrivilege 3720 WMIC.exe Token: SeRestorePrivilege 3720 WMIC.exe Token: SeShutdownPrivilege 3720 WMIC.exe Token: SeDebugPrivilege 3720 WMIC.exe Token: SeSystemEnvironmentPrivilege 3720 WMIC.exe Token: SeRemoteShutdownPrivilege 3720 WMIC.exe Token: SeUndockPrivilege 3720 WMIC.exe Token: SeManageVolumePrivilege 3720 WMIC.exe Token: 33 3720 WMIC.exe Token: 34 3720 WMIC.exe Token: 35 3720 WMIC.exe Token: SeIncreaseQuotaPrivilege 3720 WMIC.exe Token: SeSecurityPrivilege 3720 WMIC.exe Token: SeTakeOwnershipPrivilege 3720 WMIC.exe Token: SeLoadDriverPrivilege 3720 WMIC.exe Token: SeSystemProfilePrivilege 3720 WMIC.exe Token: SeSystemtimePrivilege 3720 WMIC.exe Token: SeProfSingleProcessPrivilege 3720 WMIC.exe Token: SeIncBasePriorityPrivilege 3720 WMIC.exe Token: SeCreatePagefilePrivilege 3720 WMIC.exe Token: SeBackupPrivilege 3720 WMIC.exe Token: SeRestorePrivilege 3720 WMIC.exe Token: SeShutdownPrivilege 3720 WMIC.exe Token: SeDebugPrivilege 3720 WMIC.exe Token: SeSystemEnvironmentPrivilege 3720 WMIC.exe Token: SeRemoteShutdownPrivilege 3720 WMIC.exe Token: SeUndockPrivilege 3720 WMIC.exe Token: SeManageVolumePrivilege 3720 WMIC.exe Token: 33 3720 WMIC.exe Token: 34 3720 WMIC.exe Token: 35 3720 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2016 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 2116 wrote to memory of 2016 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 2116 wrote to memory of 2016 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 2116 wrote to memory of 2016 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 2116 wrote to memory of 3036 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 2116 wrote to memory of 3036 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 2116 wrote to memory of 3036 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 2116 wrote to memory of 3036 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 2116 wrote to memory of 1532 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 2116 wrote to memory of 1532 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 2116 wrote to memory of 1532 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 2116 wrote to memory of 1532 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1532 wrote to memory of 2336 1532 cmd.exe 35 PID 1532 wrote to memory of 2336 1532 cmd.exe 35 PID 1532 wrote to memory of 2336 1532 cmd.exe 35 PID 1532 wrote to memory of 2336 1532 cmd.exe 35 PID 2116 wrote to memory of 1480 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 2116 wrote to memory of 1480 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 2116 wrote to memory of 1480 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 2116 wrote to memory of 1480 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 38 PID 2116 wrote to memory of 1972 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 39 PID 2116 wrote to memory of 1972 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 39 PID 2116 wrote to memory of 1972 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 39 PID 2116 wrote to memory of 1972 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 39 PID 1480 wrote to memory of 1112 1480 cmd.exe 42 PID 1480 wrote to memory of 1112 1480 cmd.exe 42 PID 1480 wrote to memory of 1112 1480 cmd.exe 42 PID 1480 wrote to memory of 1112 1480 cmd.exe 42 PID 2116 wrote to memory of 2912 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 2116 wrote to memory of 2912 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 2116 wrote to memory of 2912 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 2116 wrote to memory of 2912 2116 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1972 wrote to memory of 856 1972 cmd.exe 43 PID 1972 wrote to memory of 856 1972 cmd.exe 43 PID 1972 wrote to memory of 856 1972 cmd.exe 43 PID 1972 wrote to memory of 856 1972 cmd.exe 43 PID 1480 wrote to memory of 1732 1480 cmd.exe 46 PID 1480 wrote to memory of 1732 1480 cmd.exe 46 PID 1480 wrote to memory of 1732 1480 cmd.exe 46 PID 1480 wrote to memory of 1732 1480 cmd.exe 46 PID 1480 wrote to memory of 2884 1480 cmd.exe 47 PID 1480 wrote to memory of 2884 1480 cmd.exe 47 PID 1480 wrote to memory of 2884 1480 cmd.exe 47 PID 1480 wrote to memory of 2884 1480 cmd.exe 47 PID 2912 wrote to memory of 1648 2912 cmd.exe 48 PID 2912 wrote to memory of 1648 2912 cmd.exe 48 PID 2912 wrote to memory of 1648 2912 cmd.exe 48 PID 2912 wrote to memory of 1648 2912 cmd.exe 48 PID 2912 wrote to memory of 336 2912 cmd.exe 49 PID 2912 wrote to memory of 336 2912 cmd.exe 49 PID 2912 wrote to memory of 336 2912 cmd.exe 49 PID 2912 wrote to memory of 336 2912 cmd.exe 49 PID 856 wrote to memory of 4516 856 wscript.exe 50 PID 856 wrote to memory of 4516 856 wscript.exe 50 PID 856 wrote to memory of 4516 856 wscript.exe 50 PID 856 wrote to memory of 4516 856 wscript.exe 50 PID 4516 wrote to memory of 5496 4516 cmd.exe 53 PID 4516 wrote to memory of 5496 4516 cmd.exe 53 PID 4516 wrote to memory of 5496 4516 cmd.exe 53 PID 4516 wrote to memory of 5496 4516 cmd.exe 53 PID 2912 wrote to memory of 2600 2912 cmd.exe 54 PID 2912 wrote to memory of 2600 2912 cmd.exe 54 PID 2912 wrote to memory of 2600 2912 cmd.exe 54 PID 2912 wrote to memory of 2600 2912 cmd.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1648 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW9Vuh6B.exe"2⤵PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW9Vuh6B.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW9Vuh6B.exe" -n2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fKaDStvL.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acDG4t2B.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acDG4t2B.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1112
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i0M8Jgfj.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i0M8Jgfj.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\ZbYVLRuH.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\ZbYVLRuH.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:5736
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:4616
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\GFXqdBVE.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Views/modifies file attributes
PID:1648
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:336
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
PID:2600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nPcROQkf.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\nPcROQkf.exenPcROQkf.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\nPcROQkf64.exenPcROQkf.exe -accepteula "ENUtxt.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5F1E9A07-9523-4D35-9CF3-347E17E26D4E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:5252
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ZbYVLRuH.bat"2⤵PID:1316
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:4644
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3564
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3560
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:3648
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5178313ec495a9c64871539ebf9576a9e
SHA175f5bfe9036de1c4e629b0a703a17bfa55093954
SHA256ff5a05a8c5389eb039b551b4c484f873c9f675934cf8712415272802769a7ba5
SHA5121377c7c059bcd02feb4ecacff2d8e1d5fab4ce360bb4f1b91df231eda1c222570c753801562179742698e8d7eaa2df60a1e55ecc14794c0ec0eff97bcf7790cc
-
Filesize
8KB
MD5f3818c05e1b1ad605b94f4e8a14d7c07
SHA1613623bab7f5d761f1b3aed7b71beb4b95a85132
SHA256dd4b2a7700b615bff95830bb0fcf28167209271a0db54d3a04ce3624b25307a9
SHA51248ee9bb4e08fa408e28a33d01d43b72456e0546d68f5abea156fce1afdec9b0201c7d9259fb49964e1f388055d6a550033d819cd3463d2e846622a0241e3d86d
-
Filesize
246B
MD5139d0e0ec1b06672955ea06356979b33
SHA199dfab8986a8883e589dc4741ce7e321437bb6a4
SHA2567f991d6319d5c039f37e59c396243fa31e1fd5d86009e276a72b0ea4c79a307f
SHA51207f9ed3b7e908fbcfc62f7dfe0f68021cd571142969e53be978af65310318e27e639ebfb9259ba767e45c7a8a645e9f19c814273a306676ed731285546e7330f
-
Filesize
1.2MB
MD51fa1b6d4b3ed867c1d4baffc77417611
SHA1afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA25691d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA5120600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
Filesize
31KB
MD50dd029f281b8b717ace1e87c6f3f0af5
SHA18f16e224de1f67df719bcf1006a060b77f872617
SHA256999489709512063497eecf001100f65c7644e16ef55585d6dec235754f4635a4
SHA5123001c4dca7904f56bd201da8322b33581bedb3d574ef5583b3b29e311579de39f3abd1d45a9e31a187cdfedcedd8d3350d066553388b8c551f108d4d5d8fa1a3
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
265B
MD580f83030755091073f17bbeec2bd3f41
SHA1ea272eabf09b7f698eeea5b060245644fb72d66b
SHA2564dc2ead259239671fea10b954e0ace1e91e638d766cccd53c6fc8ceec584d088
SHA51287ffedc740c401aff964b876297757a13fa821266467e7f1eebe53859df05ff92507c328a3af9916b930d26b44a5ebf335a95f8c08f39c13309e1e580d98c94e
-
Filesize
260B
MD571dfee6588348930904b3bff571158d9
SHA18b688e3d7f334cac155ce832f9487c204020b583
SHA2563c78415b3cd7b044cab8c3486d524b40a211e02ba3ec4e841f246854776d7aa6
SHA5128268a760e2b57c457765f4ae4ab672c1d676508607c22d6405bfa9ba4bc9c612cb866fb7185d742ef90c69c61a12d7734bc9db4284191ea37dd0c60fef73c3e6