Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
162s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
-
Size
1.2MB
-
MD5
607d292bdcdde297252e002e613282ae
-
SHA1
0161d2dd582d064f7e7f50ccb43478ff0884916a
-
SHA256
0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
-
SHA512
2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
SSDEEP
24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\storage\#ANN_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\storage\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\storage\permanent\chrome\idb\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\All Users\Microsoft\Diagnosis\ScenariosSqlStore\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Documents\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Network\Downloader\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\3ECA83A8-15D7-4403-B198-65C431ED0743\x-none.16\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\swidtag\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Downloads\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Music\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Pictures\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\3ECA83A8-15D7-4403-B198-65C431ED0743\en-us.16\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\SmsRouter\MessageStore\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Desktop\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Roaming\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Diagnosis\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk-1.8\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\odt\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 1142 952 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 388 NWd22ypi.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3480 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\U: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\T: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\R: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Q: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\K: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Z: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\S: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\P: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\E: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\O: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\M: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\L: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\J: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\G: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Y: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\X: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\W: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\N: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\I: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\H: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1141 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\MTYHGEB7.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.Core.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Controls.Ribbon.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.CoreLib.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\PresentationUI.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\dbgshim.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.Client.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemCore.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.Design.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsBase.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\PresentationFramework.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\ReachFramework.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzmappings 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.ZipFile.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Forms.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Input.Manipulations.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.MemoryMappedFiles.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\currency.data 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Core.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.IsolatedStorage.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\coreclr.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationTypes.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ReachFramework.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jli.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationCore.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Drawing.Common.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\PresentationFramework.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.Parallel.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Primitives.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationUI.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Forms.Design.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\System.Windows.Forms.Design.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Input.Manipulations.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Xml.Linq.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jdwp.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.FileSystem.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\WindowsFormsIntegration.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 952 powershell.exe 952 powershell.exe 952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 952 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4604 wrote to memory of 2412 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 85 PID 4604 wrote to memory of 2412 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 85 PID 4604 wrote to memory of 2412 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 85 PID 4604 wrote to memory of 388 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 4604 wrote to memory of 388 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 4604 wrote to memory of 388 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 4604 wrote to memory of 992 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 95 PID 4604 wrote to memory of 992 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 95 PID 4604 wrote to memory of 992 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 95 PID 992 wrote to memory of 952 992 cmd.exe 97 PID 992 wrote to memory of 952 992 cmd.exe 97 PID 992 wrote to memory of 952 992 cmd.exe 97 PID 4604 wrote to memory of 3844 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 100 PID 4604 wrote to memory of 3844 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 100 PID 4604 wrote to memory of 3844 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 100 PID 4604 wrote to memory of 5016 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 101 PID 4604 wrote to memory of 5016 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 101 PID 4604 wrote to memory of 5016 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 101 PID 4604 wrote to memory of 2296 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 4604 wrote to memory of 2296 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 4604 wrote to memory of 2296 4604 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 3844 wrote to memory of 4892 3844 cmd.exe 106 PID 3844 wrote to memory of 4892 3844 cmd.exe 106 PID 3844 wrote to memory of 4892 3844 cmd.exe 106 PID 5016 wrote to memory of 4516 5016 cmd.exe 107 PID 5016 wrote to memory of 4516 5016 cmd.exe 107 PID 5016 wrote to memory of 4516 5016 cmd.exe 107 PID 2296 wrote to memory of 2472 2296 cmd.exe 108 PID 2296 wrote to memory of 2472 2296 cmd.exe 108 PID 2296 wrote to memory of 2472 2296 cmd.exe 108 PID 3844 wrote to memory of 4972 3844 cmd.exe 109 PID 3844 wrote to memory of 4972 3844 cmd.exe 109 PID 3844 wrote to memory of 4972 3844 cmd.exe 109 PID 2296 wrote to memory of 4068 2296 cmd.exe 111 PID 2296 wrote to memory of 4068 2296 cmd.exe 111 PID 2296 wrote to memory of 4068 2296 cmd.exe 111 PID 3844 wrote to memory of 4760 3844 cmd.exe 112 PID 3844 wrote to memory of 4760 3844 cmd.exe 112 PID 3844 wrote to memory of 4760 3844 cmd.exe 112 PID 2296 wrote to memory of 3480 2296 cmd.exe 113 PID 2296 wrote to memory of 3480 2296 cmd.exe 113 PID 2296 wrote to memory of 3480 2296 cmd.exe 113 PID 4516 wrote to memory of 2180 4516 wscript.exe 115 PID 4516 wrote to memory of 2180 4516 wscript.exe 115 PID 4516 wrote to memory of 2180 4516 wscript.exe 115 PID 2296 wrote to memory of 6068 2296 cmd.exe 117 PID 2296 wrote to memory of 6068 2296 cmd.exe 117 PID 2296 wrote to memory of 6068 2296 cmd.exe 117 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2472 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWd22ypi.exe"2⤵PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWd22ypi.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWd22ypi.exe" -n2⤵
- Executes dropped EXE
PID:388
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\KYYFtAoQ.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MTYHGEB7.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MTYHGEB7.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:4892
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:4760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\bB5OGSOE.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\bB5OGSOE.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\og1rFSDO.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:2180
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\FsjtY9Dm.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"3⤵
- Views/modifies file attributes
PID:2472
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C3⤵PID:4068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"3⤵
- Modifies file permissions
PID:3480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c l98EwHxi.exe -accepteula "ActivitiesCache.db" -nobanner3⤵PID:6068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246B
MD5f3eac82d971d69aa6f9a88dbc2ad33c4
SHA1880f4e4780f27b9068f497b7cb06e680006397a5
SHA2567238e370384e17bfb6d010b8aaec7024e5546316c853eb2bee42dc9b18168f7c
SHA5123af785d046e467ded20b5be75b83930a147a54a6952df4076f81e12c25a786573647cbe89def7ca6f82f9f0d919d6b400ab6f274276225527cf0b446e1403831
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
1.2MB
MD5607d292bdcdde297252e002e613282ae
SHA10161d2dd582d064f7e7f50ccb43478ff0884916a
SHA2560676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
SHA5122bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
Filesize
1020B
MD59fee562db5d0ce2aeaec32c487212222
SHA182f3e3ed52da97f2cb2298d29be7f652ce747e98
SHA25608342aa4ed7eebb0b9061176e9cc676f6f12a00208f29cae7262508902723911
SHA51244aa145307ceea2d924898f62bba4d37268f54ce3ec2babe395edf1058019866509565fbe9852d754ff132f455913571ccd0ee5d0be1974ffeb568f6d78775b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\storage\#ANN_README#.rtf
Filesize8KB
MD5e04d19fb8e7cda2fcf0f6cdd5920e1a9
SHA1f3406695e90eb84340c2102c3b458d542c74da09
SHA256a20328cbdc03e7b979f7e581b742bdbccdbba3f9e4636a3cc562b8ffb3c204f1
SHA512db593944e7e6fa4f486caf09cb392dedc7de2a458489617c1ba074426dfd62fa56467b5eaf03771ee5f44906626ae8d4f08d96f9f2570a4547cfb27338631f13
-
Filesize
260B
MD5eb21ffb08948098f8afebf1297f31bc4
SHA110807c5e9ffa0a65e34b5a1bb17c6919011f356b
SHA256ee94d771e56c16d8995dd647b931caaffd033e317e787feea856f43cfffc852f
SHA512645ce267f591c1aff84c3f32a8fd14f0a48ff2d398602b9ae88ae8700bd87708af8494529add167d762d844d6fbaf5853a231bad7e3c6796565e6d08bad1b19e